Resumen de Internet traffic classification for high-performance and off-the-shelf systems
Network traffic monitoring is of paramount importance for network operators due to the ever-increasing links' speed and users' bandwidth demand. Thus, it has awakened the interest of the research community in the last years. Particularly, traffic classification (i.e., to associate traffic with the application that has generated it) is one of the most relevant monitoring tasks, which provides crucial information to network managers. The heterogeneity and complexity of current networks along with the high link's speeds (typically ranging from 1 Gb/s to 40 Gb/s) make traffic monitoring more difficult. This implies a significant investment on infrastructure, especially on the large-scale networks that require multiple points of measurements, given that traffic monitoring tasks are very demanding in terms of computational power. Undoubtedly, traffic classification has to be enough accurate to achieve its expected usefulness for network management, even when traffic is obfuscated, encrypted and uses arbitrary port numbers. Furthermore, because of the constant evolution of networks, the proposed monitoring tools must be definitively flexible, scalable and able to support higher throughput.
This study aims at analyzing the feasibility of a network traffic monitoring system, and particularly, a traffic classification engine, which fulfills the abovementioned challenges, namely: (i) high-performance, (ii) limited cost, (iii) accuracy, and (iv) scalability. Off-The-Shelf (OTS) systems, based on open-source software and commodity hardware, are presented as a great alternative to specialized hardware, which has been traditionally used for such tasks. Particularly, contemporary Non Uniform Memory Access (NUMA) systems with multi-core architectures as well as modern Network Interface Card (NIC)s with multi-queue capabilities, are shown with potential capacity to cope with accurate traffic classification for high-speed and limited-cost systems. Thus, in this thesis, we thoroughly analyze each module of a typical traffic classification engine (and, more generally, of a network traffic monitoring system), namely: packet sniffing, timestamping, flow handling and classification.
First, we reviewed, evaluated and compared the different proposals for packet sniffing (the first task of any monitoring system), highlighting their similarities and differences as well as their pros and cons. Second, we analyzed other low-level task of paramount importance in network traffic monitoring (especially, in real-time services such as multimedia traffic): packet timestamping. We quantify the inaccuracy of packet timestamping by using novel packet capture engines. We propose two approaches to overcome or mitigate such accuracy limitations. Our proposal achieves the best results respect the rest of solutions, even in several orders of magnitude.
Then, we proposed a statistical classification engine based on software-only and commodity-hardware solutions. The proposal is able to on-line classify at more than 14Million packets per second (Mpps) and 2.8Million flows per second (Mfps) in a worst-case scenario and up to 20 Gb/s when monitoring a real backbone link. Such astonishing results are possible thanks to the use of an improved network driver, the use of lightweight statistical classification technique; and a exhaustive tuning of critical parameters of the hardware and the software application. Furthermore, we carefully analyzed the flow handling module (which is a common module in the most of monitoring system) and different Machine Learning (ML) tools as traffic classifiers.
Due to its relevance and popularity, we focus on multimedia traffic classification and monitoring. Specifically, we propose two Voice over IP (VoIP) monitoring system, one for Session Initiation Protocol (SIP)-based VoIP technology and the other one for Skype traffic, able to process and classify traffic at line-rate in a 10 Gb/s link. Finally, the impact of packet sampling (used to reduce the computational load) on traffic classification is analyzed.
