Intelligent Traffic Manager - White Paper

8/3/2019 Intelligent Traffic Manager - White Paper

1/12

A P P L I C A T I O N N O T E

Intelligent Trafc ManagementProtecting the Subscribers QoE while Securing the Integrity o the Wireless Network


2/12

Abstract

With the widespread adoption o new smart devices and their applications, wireless service providersare acing a challenging environment in the advent o broadband wireless communications. Notonly is there an explosion o broadband data, but the way that these new applications are stressingthe network is unpredictable, transient, and at times unexpected. This has created an environmentwhere the monitoring and analytic tools o the legacy systems are no longer suitable to really

understand these new issues.

This paper rst describes how the 9900 Wireless Network Guardian (WNG) is able to uniquelyunderstand the dynamics o wireless broadband data and correlate it hop-by-hop to device-specicIP packet fows. With this new insight (i.e., Wireless Network Intelligence), the wireless serviceprovider will be in a position to identiy specic network anomalies down to the specic deviceand application that could compromise the mobile data experience o a valued subscriber andpotentially jeopardize the integrity o the network itsel.

This paper then discusses how the 5780 Dynamic Services Controller (DSC) can leverage thisintelligence to create new business rules that can be dynamically triggered to protect the Quality oExperience (QoE) o valued subscribers while bolstering the integrity o the wireless network. Finally,

this paper presents the solution called Intelligent Trac Management (ITM) that representsthe integration between the 9900 WNG and the 5780 DSC and details the specic mechanicsbehind it.


3/12

Table o contents

1 1. The need or wireless network intelligence

2 2. Extracting wireless network intelligence using the 9900 Wireless

Network Guardian

3 3. Enriching policy decisions with the 5780 DSC and wirelessnetwork intelligence

4 4. Intelligent Trafc Management

4 4.1 A new breed o unwanted data trafc and anomalies

5 4.2 Intelligent Trafc Management

7 4.3 Heavy user use-case example

8 5. Conclusion

8 6. Abbreviations

8 7. Resources


4/12

Inte ll igent Trafc Management | Application Note 1

1. The need or wireless network intelligence

The explosion o smartphones, tablet computers, and other wireless-enabled devices, coupled withthe availability o thousands o new applications that leverage IP-based mobile data networks, iscreating a new and challenging environment or the wireless service provider. This environment isa lot more transient and unpredictable than traditional mobile voice networks and presents uniqueand complex challenges or service providers to maintain their subscribers QoE while securing the

integrity o their networks.

Today, service providers do have the visibility into segments o their network but it is not correlatedto the subscribers and their applications nor does it provide an end-to-end view. As a result, it isdicult to identiy and characterize the impact that specic sources (i.e., devices, local and Internetapplications, etc.) have on network capacity, perormance, and security. Traditional radio managementtools can indicate when perormance is bad or when a certain capacity is being exceeded, but theydo not explain why or which applications and/or devices are causing the problem.

Service providers also have other tools such as Deep Packet Inspection (DPI) that monitors andmanages core IP trac, but they cannot identiy and report on the impact that IP trac has on aspecic Radio Access Network (RAN). Using these tools may result in corrective actions that

represent a more broad-brush approach that may not correct the situation and can negatively impactother subscribers and potentially degrade their service. This broad-brush approach can also squanderprecious network resources due to the lack o precision. For example, with some DPI approaches, ithere is congestion in the RAN, service providers can choose to cap service delivery or an entireapplication class, thereby impacting customers who are not contributing to the issue; or serviceproviders might cap service across all trac rom certain subscribers, including applications thatare not creating problems.

To move away rom these existing approaches, service providers have to gain an understanding othe specic interactions between device and application trac and network perormance/capacityand where these worlds overlap. As depicted in Figure 1, service providers need to ll in the blindspot that, up until now, has made it hard or them to identiy the specic sources o subscriber-

impacting issues.

Figure 1. The blind spot facing wireless service providers today

Network loadingand performance

Subscriber wireless IPbroadband traffic

?


5/12

Intelligent Trafc Management | Application Note2

2. Extracting wireless network intelligence using the 9900 Wireless Network Guardian

The Alcatel-Lucent 9900 WNG provides a unique insight into this blind spot by understanding thereal-time capacity o all network elements and links. Combined with its application and deviceknowledge, the 9900 WNG can correlate each application fow to specic devices, elements, andlinks in the RAN, backhaul network, and packet core by ollowing the end-to-end packet fow toand rom the subscribers device.

This approach allows the 9900 WNG to passively monitor, in real-time, every subscribers dataexperience while automatically analyzing and identiying the root-cause issues such as anomalousevents (e.g. heavy users, signaling overloading, security threats, etc) that are contributing to asubscribers degraded experience.

This also enables the 9900 WNG to identiy which network elements are capacity-constrained inthe dimensions o bandwidth, airtime exhaustion, and signaling overload right down to the cell sitelevel. It also makes clear the sources o these constraints in terms o users, applications, applicationservers and devices. This allows service providers to understand what is creating capacity constraintsand also what may be deteriorating perormance. Figure 2 illustrates how the 9900 WNG correlateseach device and each application with every network hop to provide deep understanding o how

devices and applications impact the wireless network and how network perormance impacts eachsubscribers QoE.

Figure 2. The 9900 WNG providing wireless network intelligence

With this deep and powerul level o correlation, unique insight or wireless network intelligencecan be used to empower service providers to proactively maintain a subscribers QoE while securingthe integrity o the network. The next section discusses how wireless network intelligence can beused to enrich policy decisions with the 5780 DSC.

9900 Wireless Network Guardianmultivendor, multi-technology, real-time

Impact of subscriberson network loading

Impact of performanceon subscriber QoE

Impact of network loadingon performance

Devices Network Applications


6/12


3. Enriching policy decisions with the 5780 DSC and wireless network intelligence

The Alcatel-Lucent 5780 Dynamic Services Controller (DSC) is a state-o-the-art decision engineproviding wireless service providers with the capabilities to map business demands and networkconstraints into easy-to-manage network policy rules. The decision engine uses a set o pre-denedservice provider-congured service policies combined with additional network (device details, accesstype, location), subscriber (service tier, entitlements, credit balance), system (state, time o day) and

application inormation (service description, trac parameters) that it dynamically obtains romits various standard interaces to maximize the eectiveness o its policy decisions. Once policydecisions are dynamically synthesized by the decision engine, they are ormulated into networkconsumable rules and sent to the network where they are instantiated and enorced or per-deviceper-application data plane treatment. Wireless network intelligence is a new breed o data that canbe used by the 5780 DSC to urther enhance the operational capabilities o the service provider.

The logical evolution to maximize the value o this data involves using dynamic policy control toprovide policy-driven unctions that can be delivered with velocity, scale, and operational eciency.An integrated policy management solution would be able to establish fexible rules to dynamicallyexamine the highly varying conditions at each cell site and network hop which may vary greatlyrom the events and trac that are viewed rom the core. Once a service provider-dened event or

network anomaly (heavy user, security threat, etc.) is identied and deemed to impact subscriberperormance, the policy engine can then trigger an action that would aim to address that condition.The action can be subscriber notication o the event to warn them o potential service deteriorationand to oer service options that are more aligned with their personal trac usage patterns. Otheractions can be packet fow de-prioritization or even packet throttling. Figure 3 illustrates the5780 DSC and the sources o dynamic data that it uses to make policy decisions.

Figure 3. Enhancing the 5780 DSCs rules engine with wireless network intelligence

Wireless network intelligence

Per-subscriber, per-applicationreal-time performance,

network impact and anomalies Device details/ access type/location

Application details/

service description

Subscriber profile/service tier/

entitlements

Network details/updates

5780 DSCs

decision engine


7/12


The next section details Alcatel-Lucents Intelligent Trac Management (ITM) solution, whichrepresents the integration o the 9900 WNG with the 5780 DSC to create the service providerbenets outlined above.

4. Intelligent Trafc Management

4.1 A new breed o unwanted data trafc and anomalies

A new breed o unwanted data trac and anomalies is taking a oothold in existing wirelessnetworks today that is causing havoc within the network while compromising a subscribers QoE.These anomalous events include, but are not limited to, devices, servers and applications that aresending virus-laden or virus-generated fows and perorming denial o service (DoS) attacks. Thisunwanted trac not only consumes bandwidth but may also consume valuable signaling andairtime resources.

In addition, this unwanted trac does not contribute to revenue or the service provider and results innetwork capacity being consumed that could otherwise be used to improve and maintain a subscrib-ers QoE and bolster overall network perormance and capacity. By eliminating or controlling thistrac, OPEX cost savings would be realized since less troubleshooting and customer-care expenseswill be incurred. Moreover, CAPEX savings would also be realized since the existing capacity o the

network will be increased.

4.1.1 Unwanted or rogue trafc

Some o the more common sources o unwanted or rogue trac that can be identied by the9900 WNG are:

Peer-to-peer(P2P)trafc a class o trac rom a specic device oten associated with videodownloading that is typically very aggressive in nature and has a tendency to consume massiveamounts o broadband trac in an unair manner. During times o congestion this trac maybe a candidate or action provided it imposes on other subscribers.

AlwaysActiveAirtime when users that have a constant wireless communications channel upthat exceeds normal airtime use attributed to voice or broadband data sessions.

Portscanning when a source (mobile device application/Internet server application) attemptsto cycle through TCP/UDP ports within a device/server or across many devices/servers toidentiy an opening that could be used or an attack or denial o service.

Signalingattack when a source seeks to overload the control plane o a 3G/4G wireless networkusing low-volume attack trac by repeatedly triggering radio channel allocations and revocations.

Batteryattack when a malicious source commandeers a mobile devices communications channelto repeatedly awaken it rom an idle low-power slumber into a state o readiness that saps itselectric power and consumes network resources.

4.1.2 Heavy users

In addition to the aorementioned trac, every network has a set o non-malicious subscribers

who are consuming an unair amount o network resources, thereby compromising the overallQoE o others.

The RAN, backhaul, and packet core elements provide QoS capabilities that deal specically withreal-time congestion to provide packet prioritization while maximizing network and cell throughput.However, these unctions are generally not subscriber, entitlement, and historical usage aware. Forexample, the RAN automatically distributes service equally among all user trac within the sameQoS class regardless o the subscribers entitlements, historic trac use, or potential involvement inan anomalous event (heavy user, security threat, etc). In many cases, all subscribers share a singleQoS group or their broadband trac, opening up opportunities or heavy users to thrive and compro-mise the QoE o others with the same entitlements. The 9900 WNG is able to detect heavy datausers as well as heavy signaling users.


8/12


The next section shows how the sources o these anomalous events and heavy use are identied bythe 9900 WNG and reported to the 5780 DSC so that service provider-dened policies can triggeran action to alleviate these disruptive conditions.

4.2 Intelligent Trafc Management

ITM is a solution that identies unwanted or rogue trac in the wireless network through proactivereal-time network measurement and analytics. It then de-prioritizes, throttles, or removes this trac,

or a period o time, through policy decisions allowing service providers to protect subscribers QoEwhile better using their network resources.

There are three main unctions in the solution which involves dierent parts or elements in the network.The rst unction is Monitor and Analyze and is perormed by the 9900 WNG. The second unctionis Process and Trigger and is perormed by the 5780 DSC. It is important to note that tight integrationis needed between the 9900 WNG and the 5780 DSC or these two unctions to work in concert.The third and last unction is Enorce and Deliver, and relies on the wireless network and variouselements within it to provide both the enorcement and the delivery unctions. Figure 4 illustrates anetwork view o the solution and the general mechanics behind it.

Figure 4. Intelligent Traffic Management Solution framework

4.2.1 Monitor and Analyze

This unction is perormed by the 9900 WNG by collecting and monitoring subscriber and application

trac in real-time which it collelates with the loading and perormance o all network elements.The 9900 WNG then generates subscriber anomaly events (port scans, battery attacks, heavy users, etc.)and network element perormance alerts by evaluating the specic anomalies over a congurablewatching window period.

Each anomaly event and perormance alert is evaluated over its own dedicated watching windowor trending period to ensure that it is not a random one-time event but rather a sustained issuethat needs to be addressed. The anomaly being analyzed is assigned an intensity level or everywatching window and is reported to the 5780 DSC with that detail. Each anomaly eventswatching window and intensity level denition is service provider-congurable, thus ensuringfexible implementation capabilities.

Packet core

9900 WirelessNetwork Guardian

5780 DynamicServices Controller

Anomaly notification

Processand trigger

Enforce and deliver

Monitorand analyze

Radio accessnetwork

Backhaul


9/12


The 9900 WNG noties the 5780 DSC o all per-subscriber anomalous events (such as high data usageand signaling subscribers, port scans, etc). As the subscriber enters into, exits rom, or transitions romone level o intensity to another, the 9900 WNG will notiy the 5780 DSC. The 9900 WNG can alsolter notications and only send a notication i an anomaly is o a specied intensity threshold. Inaddition, the 9900 WNG can notiy the 5780 DSC o a network element or link that is exhibitinga perormance anomaly such as congestion or signaling overload. When the 9900 WNG noties the5780 DSC o a subscriber anomaly event or a network perormance event, an assignment is created or

each event against the subscriber or network object.

4.2.2 Process and Trigger

In order to apply the ITM capabilities in a dynamic, consistent, and scalable manner, specicper-subscriber policies are dened and created within the 5780 DSC. For each policy the serviceprovider rst simply denes items such as the event type (i.e., heavy user, port scans, battery attack, etc.),event intensity (i.e., 1=low, 5=high), and event precedence. Intensity level is important since it willgive the service provider a threshold level or which to trigger an action. For example, i the intensitylevel o a prescribed anomalous event is greater than 4, then an action should be triggered. Furthermore,intensity level can be used to dierentiate dierent service tiers. For example, intensity level 4may trigger a policy on gold subscribers but intensity level 2 may trigger the same policy onbronze subscribers.

Precedence is important as it enables the service provider to create a per-subscriber compoundpolicy that may involve multiple anomalous events where one may have precedence over another.For example, i the the an application on the subscribers device is executing a port scan, then thepolicy may be simply to terminate the subscribers session even though the subscriber may also beconsidered a heavy user. In this case, the service provider would place a higher precedence on theport scan event over the heavy user status.

Once the event types are dened in a policy, then certain actions are added that can be executedwhen certain thresholds are exceeded. One o the benets o this solution is that that the triggeredactions are subscriber entitlement-aware due to the close integration between the 5780 DSC andthe Subscriber Prole Repository (SPR). This means that specic knowledge o the subscriber canbe considered to make actions more meaningul and personalized. Actions can be the ollowing:

Notication This action oers an eective way to interact with the subscriber not only tonotiy them o the event but to oer to the subscriber new service options that would be morealigned with their trac patterns.

QoSchanges This action represents re-prioritizing the underlying IP packet fow to a lower QoSclass. This is a very eective action as it will not discard packets, and application perormancewill not deteriorate or the subscriber unless there is congestion on one o the network elementsin the end-to-end path.

Packetthrottle This action represents throttling the underlying IP packet fow in the packetcore. Subscriber application perormance will be impacted immediately.

Terminatesession This action terminates the actual broadband data session. This action istypically reserved or malicious security threats like port scans, battery attacks, etc.

Once the policy is created (event type, intensity, precedence, actions) then the rule engine othe 5780 DSC is used to dene the subscribers and the conditions to when the policy is to beapplied. The rules engine is essential in applying policies with scale and fexibility to meet theever-changing environment.

4.2.3 Enorce and Deliver

Enorcement and delivery is the instantiation o the policy rules into the network by the networkelements. Once the 5780 DSC synthesizes the policy rules into a set o network-consumable actions itcommunicates these actions to the network via the 3rd Generation Partnership Project (3GPP) standard


10/12


Gx interace or enorcement at specic network enorcement points. In 3G networks, communi-cation will go directly through the Gx interace to the Gateway GPRS Node Support (GGSN); andin 4G networks communication will go directly throught the Gx interace to the Packet Data NetworkGateway (PGW). For both 3G and 4G networks, the Gx interaces can be used to communicatedirectly with the DPI applicance or enorcement. These enorcement points are used to eitherre-prioritize, throttle, or terminate the packet fow that has been identied as being anomalous.

Once these packet fows are acted upon at the enorcement points (e.g., re-prioritized, throttled) theyneed to be delivered across the end-to-end wireless network with the specic priority and perormancedictated by the policy. It is the collective responsibility o each network element in the packet core,the backhaul network, and the radio access network to provide this delivery unction.

4.3 Heavy user use-case example

Internal Alcatel-Lucent research on real mobile broadband network usage data has shown that thetop ew percent o users generates a disproportionate percentage o the total network load. Based onreal network measurements using the 9900 WNG, Figure 5 has been created to demonstrate thistrend. In Figure 5, Smartphone A and Smartphone B represent data usage or dierent devices inthe research.

Figure 5. Disproportionate data use from a small number of users

From this graph it is clear that the top 10% o data users consumed 80% o trac and the top20% o data users consumed 90% o trac. In act, internal studies show that long-term heavyusers are repeat oenders since the top 5%o data users o the preceding day consumed between

30 to 35% o data in congested times (peak periods) during the next day. It is clear there are usersthat are consuming a disproportionate amount o resources and, during times o congestion, areusing more than their air share o bandwidth. The issue with this phenomenon is that this extrabandwidth use rom heavy users is not being monetized yet it impacts the QoE o other valuedsubscribers during times o contention. One o the reasons why this happens is due to the act thatthe QoS capabilities in the network do not distinguish between a user consuming massive amountso broadband data and a normal behaving user within the same QoS class. Moreover, in many wirelessnetwork deployments, all broadband trac sessions are oten lumped into the same QoS class,which exacerbates the situation.

Smartphone A Smartphone B

Small percentage of users use disproportionate amounts of bandwidth80% of volume consumed by 10% of devices

Percentage(%)oftotaltraffic

volum

ebyspecificUEs

0 2010 30 40

Percentage (%) of top UEs by volume

50

0

100

40

60

20

80


11/12


This is where ITM can really help. With ITM, the service provider can create their own denitionor what a heavy user is by speciying their own intensity levels. Once this denition is set, thesolution will provide a notication o the new events, thus making the service provider aware o allheavy users and when the users transition to and rom various intensity levels. The service providercan create specic policies that can be unique or each subscriber class and their personal entitlements,and prescribe when an action(s) should take place and what the action should be. In many cases,the action would be either to re-prioritize or throttle the heavy users packet fow during times o

congestion or during times when other subscribers would be impacted. I there is enough networkcapacity or all subscribers, then actions may not be needed.

An action could also include a personal notication to the subscriber oering higher perormanceservice options or options that are tailored more specically to their personal usage patterns. Thisis good or the subscriber since they would be charged more precisely or the personal usage theyconsume leading to more value. This is also good or the service provider since they would moreprecisely monetize their network.

5. Conclusion

In the new era o wireless broadband networks it is essential or service providers to understand how

trac impacts their network and how it relates to device-specic application packet fows. Thisknowledge is called wireless network intelligence. Without this knowledge, service providers areoperating in a blind ashion and really do not understand how to protect their subscribers QoE andsecure the integrity o their network. ITM not only provides wireless network intelligence, but itoers a solution that uses this intelligence to create network-wide policies that protect monetizedusers rom malicious security threats and heavy users. This keeps subscriber QoE high, and reduceschurn, while securing the integrity o the network.

6. Abbreviations3GPP 3rd Generation Partnership Project

DOS Denial o Service

DPI Deep Packet Inspection

DSC Dynamic Serv ices Controller

GGSN Gateway GPRS Node Support

ITM Intelligent Trafc Management

P2P Peer-to-Peer

PGW Packet Data Network Gateway

QoE Quality o Experience

QoS Quality o Service

RAN Radio Access Network

SPR Subscriber Profle Repository

UE User Equipment

WNG Wireless Network Guardian

7. Resources

ImprovingQoEWithanIntelligentLookintoWirelessNetworkCapacity,Techzinefeaturearticle,Sept 21, 2010, http://www2.alcatel-lucent.com/blogs/techzine/

PersonalizingtheNetwork:PolicyEndtoEnd,HeavyReadingonbehalfofAlcatel-Lucent,November 2010

www.alcatel-lucent.com/5780dsc

www.alcatel-lucent.com/9900wng

www.alcatel-lucent.com/itm
http://www2.alcatel-lucent.com/blogs/techzine/http://www.alcatel-lucent.com/5780dschttp://www.alcatel-lucent.com/9900wnghttp://www.alcatel-lucent.com/9900wnghttp://www.alcatel-lucent.com/5780dschttp://www2.alcatel-lucent.com/blogs/techzine/


12/12

www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logoare trademarks o Alcatel-Lucent. All other trademarks are the property o their respective owners.The inormation presented is subject to change without notice. Alcatel-Lucent assumes no responsibilityor inaccuracies contained herein. Copyright 2011 Alcatel-Lucent. All rights reserved.CPG2896110204 (02)

Documents

Intelligent Traffic Manager - White Paper