Rapid Detection of
Constant-Packet-Rate Flows
ARES 2008, 03/05 1
Jing-Kai Lou, Kuan-Ta ChenInstitute of Information Science, Academia Sinica
Talk Outline
MotivationInvestigationPerformance EvaluationSummary
ARES 2008, 03/05 2
Motivation
Popular real-time and interactive applications:VoIP, Real-time network games
Traffic management Need of flow identificationA distinct characteristic of such traffic: Constant Packet Rate
VoIP: Encoded continuous human voiceReal-time network game: game state updates
Key to identify VoIP and online gaming traffic:CPR flow identification
ARES 2008, 03/05 3
Key Contribution
A CPR traffic classifierLightweight
10 successive inter-packet timesHigh Accuracy90% identification rate
ARES 2008, 03/05 4
Client Client
Traffic stream
A Naive Method
Coefficient of Variation (CoV) of Inter-Packet Times (IPT)
IPT CoV small CPRIPT CoV large non-CPR
ARES 2008, 03/05 5
IPT1 IPT2 … IPTi
CPR Traffic IPT1= IPT1=…= IPTi
Ideal IPT Distribution
ARES 2008, 03/05 6Inter-packet time (ms)
0 200 400 600 800 1000
0
1
Den
sity
Collected Traces
ARES 2008, 03/05 7
Trace Flow IPT CoV Path Diversity
VoIP (Skype) 1739 0.37 1106 hosts / 1641 paths
Counter-Strike 1016 0.32 271 hosts / 270 paths
TELNET 276 1.53 140 hosts / 93 paths
HTTP 409 1.54 474 hosts / 325 paths
P2P 1303 1.63 645 hosts / 644 paths
World of Warcraft 1611 0.71 52 hosts / 39 paths
Real IPT Distributions
ARES 2008, 03/05 8
Why the IPT distributions of VoIP and Counter-Strike are not as we expect?
Difficulties: Network Impairment
Host delayChannel delayNetwork queueing delayNetwork packet loss
ARES 2008, 03/05 9
CPR traffic
Sender
packet lossdelayafter network impairment
More Difficulties
To do a decision with a few samplesshort timefew storage space
In short scale, non-CPR traffic could look like CPR
ARES 2008, 03/05 10
Non-CPR Flow
RefreshmentOur goal
To search a good metric of IPT deviations for CPR detection
ChallengesNetwork impairmentNeed of small sample size
ARES 2008, 03/05 11
Deviation Metric Design
Design factors for measuring variation Function (FUN)Sample Size (W)Smoother Size (S)
ARES 2008, 03/05 12
Deviation Metric: Function (1/3)
Standard Deviation (SD)
Coefficient of variation (CoV)
ARES 2008, 03/05 13
NIPTIPTSD i
Ni
21 )( −∑
= =
MEANSDCoV =
Deviation Metric: Function (2/3)
Mean absolute deviation (MD)
Median absolute deviation (MAD)
ARES 2008, 03/05 14
NIPTIPTMAD i
Ni |)(|1 −∑
= =
NIPTmedianIPTMAD i
Ni |))((|1 −∑
= =
Deviation Metric: Function (2/3)
Inter-quantile range (IQR)
Range
ARES 2008, 03/05 15
(25%) QuartileLower (75%) QuartileUpper IQR −=
min(IPT)max(IPT)Range −=
Deviation Metric: Sample Size
Sample size (W): Number of IPT samplesW increases
Accuracy increasesTime/space complexity increases
ARES 2008, 03/05 16
SampleSize
Time/SpacecomplexityAccuracy
Deviation Metric: Smoother Size
Smoother size (S): Window size to smooth (mean)W increases
Impairment effect decreasesFalse negative increases
ARES 2008, 03/05 17
WindowSize
FalseNegative
Impairmenteffect
FUN=CoV, W=10, S=1
ARES 2008, 03/05 18
Does this estimator setting achieve the best discriminative
power??
Performance Metric
ROC (Receiver Operating Characteristic):TPR: ratio of true positiveFPR: ratio of false positive
AUC (Area Under Curve): Area under the ROC curveAUC = 1, perfect classificationAUC > 0.8, generally goodAUC = 0.5 random guess
ARES 2008, 03/05 20
Effect of Deviation Metric
ARES 2008, 03/05 21
Dimensionless metric CoV performs the best!
Effect of Sample Size
ARES 2008, 03/05 22
Sample size increasesROC Curve shifts left AUC increases
Effect of Smoother Size
ARES 2008, 03/05 23
Improvement only for large samples
Discrimination Performance
ARES 2008, 03/05 24
Summary
Proposed using IPT constancy to identify CPR flows VoIPReal-time gaming
Studied various design issues of IPT deviation estimators
Our classifier (CoV-based) yields an accuracy rate 90% with only 10 IPT samples
ARES 2008, 03/05 25
ARES 2008, 03/05 26
ARES 2008, 03/05 28
packet loss
delay
after network impairment
Receiver
Recommended
