[go: up one dir, main page]

EP2494744A2 - Procédé de surveillance d'un trafic de réseau au moyen de métadonnées descriptives - Google Patents

Procédé de surveillance d'un trafic de réseau au moyen de métadonnées descriptives

Info

Publication number
EP2494744A2
EP2494744A2 EP09850771A EP09850771A EP2494744A2 EP 2494744 A2 EP2494744 A2 EP 2494744A2 EP 09850771 A EP09850771 A EP 09850771A EP 09850771 A EP09850771 A EP 09850771A EP 2494744 A2 EP2494744 A2 EP 2494744A2
Authority
EP
European Patent Office
Prior art keywords
traffic
metadata
information
classification
accounting
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP09850771A
Other languages
German (de)
English (en)
Other versions
EP2494744A4 (fr
Inventor
Francisco Javier Ramon Salguero
Gerardo Garcia De Blas
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Telefonica SA
Original Assignee
Telefonica SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonica SA filed Critical Telefonica SA
Publication of EP2494744A2 publication Critical patent/EP2494744A2/fr
Publication of EP2494744A4 publication Critical patent/EP2494744A4/fr
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/04Processing captured monitoring data, e.g. for logfile generation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes

Definitions

  • This invention belongs to the area of communication networks and, more specifically, to the field of traffic monitoring .
  • Traffic monitoring is an important procedure in data network management, since it allows anticipating the need of upgrading node capacity or link bandwidth before the network becomes congested.
  • This capacity planning is done in a time-scale of weeks or months and is a common operation procedure in operators' networks.
  • Traffic monitoring also allows building traffic matrixes, a matrix which contains the amount of traffic exchanged between each source and destination node or group of nodes.
  • traffic matrixes are very useful for network planning, since, from a well-known network routing scheme, it is possible to obtain the load or traffic of each link. With this information, a network with resiliency to single or double failures in nodes or links can be built.
  • traffic identification or classification deals with the ⁇ identification of the traffic as belonging to a specific application or service.
  • the future demands of capacity are different from one application or service to another one.
  • the classification of traffic in different typologies allows the application of finer grain policies in capacity planning, anticipating the real needs of equipment upgrading. Besides, it allows building traffic matrixes for each application or service, thus making the network planning finer. It also helps in network operation, since it allows diagnosing the reasons behind an unexpected growth of traffic in specific links.
  • Traffic identification can be done in several ways: ⁇ Based on port numbers. This technique is based on the fact that end applications use known TCP and User Datagram Protocol (UDP) ports for the connections, so from the used ports, a classification is done. For instance, web traffic uses HTTP and HTTPS protocols, which use respectively Transmission control Protocol (TCP) port numbers 80 and 443. The traffic identification can be done by using well-known lists of ports such as the official port numbers assigned by the Internet Assigned Numbers
  • This technique can be applied for real-time traffic classification (on the fly) , as well as for off-line analysis (from stored traffic traces) .
  • Some of these techniques can be applied in realtime, but others can only be applied off-line since they require the whole traces. For instance; if one of the drivers to classify the traffic is the number of TCP connections established from a host towards a destination host with the same source or destination ports, this classification cannot be done until the whole trace is processed.
  • This traffic classification is based on the analysis of the payload transported inside TCP and UDP protocols. For that reason, this traffic classification is commonly called Layer 7 classification.
  • the traffic classification can be based on the identification of application protocol primitives inside the payload or the identification of patterns (appearance of specific strings of bytes in the payload) .
  • Cisco developed Netflow, a network protocol to run on Cisco IOS ⁇ -enabled equipment for collecting Internet Protocol (IP) traffic information. Although it is a proprietary solution, it is also supported by platforms other than IOS, such as Juniper ⁇ Networks' routers.
  • the routers enabled with Netflow generate Netflow records, a traffic summary of bytes and packets sent/received per flow
  • Netflow is a tuple composed of source IP address, destination IP address, transport protocol, source port, destination port
  • Some period of time typically 5 minutes
  • Netflow records are exported in a specific format to Netflow collectors, where records from several Netflow-enabled routers are received.
  • IETF Internet Engineering Task Force
  • IPFIX IPFIX
  • Netflow is a solution for traffic accounting, not for traffic classification, the generated Netflow records can be post-processed to perform traffic analysis and classification based on port numbers, or on flow patterns.
  • TCP port number 80 For instance, lots of applications use TCP port number 80 since this port number is not filtered by firewalls. Besides, some applications started to use the TCP port number 80 as a way to disguise its traffic as HTTP and not to be filtered.
  • Traffic embedded in HTTP (TCP port 80) will be classified always as web traffic with no distinction of the type of traffic transported inside this kind of traffic.
  • video traffic is transported inside HTTP protocol, so with this technique, it is impossible to discriminate video traffic transported inside HTTP traffic.
  • a flow could have source port 4600 and destination port 5000 and it is necessary to establish priority rules in order to decide if the traffic belongs to the application that uses port number 4600 or the application that uses port number 5000.
  • Netflow records have become less used as a way to classify the traffic, although they keep being used worldwide for traffic accounting, for the building of intra-domain and inter-domain traffic matrixes.
  • Figure 1. shows an example of a possible implementation of the invention.
  • Figure 2. is an example of how the modules in the possible implementation could be grouped into single equipment
  • the invention thus consists in a procedure of traffic classification that distinguishes between the information describing the type of content (application, service) transported in the payload of certain packets, and the information related to traffic accounting (count of bytes per flow) .
  • This strategy allows decoupling the techniques to obtain both types of information: traffic classification and traffic accounting.
  • the present invention consists in a new process for traffic monitoring comprising the steps of:
  • MEA information relevant for traffic classification
  • ACC relevant for traffic accounting
  • signatures to identify and classify traffic could be improved so that traffic which was not identified in a specific moment could be identified later on with the new signatures.
  • One example of this reclassification could be the video traffic embedded in HTTP. This traffic can be identified by the appearance of specific strings of characters in the URLs (pattern) . These patterns could change in any moment so that this traffic could be considered unknown.
  • the metadata information generated from web data packets could include the whole URL of all unidentified HTTP GET requests. An off-line analysis could be performed on the generated metadata, inspecting the URLs of the unidentified HTTP GET requests, thus generating new patterns and enabling the off-line classification of those traffic flows matching with the given metadata.
  • the metadata information generated from web data packets could include the host of the HTTP GET request, in order to get statistics of visited hosts.
  • the ACC information includes, for example, the volume of bytes and packets per flow.
  • FIG. 1 shows an example of the procedure that could be followed in order to classify traffic with the methodology described in this invention.
  • a packet is intercepted by a traffic capturing module (module 1) .
  • a traffic detection module module 2 which classifies the traffic either as META or as ACC.
  • the metadata generation module module 3 extracts the interesting information called metadata and the metadata is exported by the exporting module (module 4) towards a correlation module (module 5) .
  • the module 5 also receives the traffic accounting from a traffic accounting module (modules 6 and 7). Traffic accounting can be generated in different ways since the functionality of traffic accounting has been decoupled from the traffic classification.
  • the module 6 generates the traffic accounting from the ACC information.
  • the module 7 in the figure performs the traffic accounting from other sources (module 8); for instance, the traffic accounting could be performed by a Netflow collector which receives the Netflow records, from several routers.
  • the module 5 correlates the metadata and the traffic accounting, providing a full classification of all the traffic flows into specific applications or services .
  • FIG. 1 The possible implementation depicted in Figure 1 is only a functional scheme. Functionalities of the different modules could be grouped into single equipment or separated into different equipments.
  • Figure 2 shows an example of how the modules in the possible implementation could be grouped into single equipment (Equipment 1) such as the DPI equipment .
  • FIG 3 shows an example of how the modules in the possible implementation could be grouped into three different equipments.
  • Equipment 1 could be identified as a DPI equipment simpler than the current ones (it will not perform the accounting) .
  • Equipment 1 could also be a router card specialized in the identification, generation and exporting of metadata.
  • the role of Equipment 2 is currently done, for instance, by Netflow collectors, which generate the traffic accounting information from the Netflow records of the routers.
  • Equipment 3 would be a new device that performs the storage and correlation of information to generate the reports on traffic classification.
  • the invention allows the current DPI equipment to focus on the classification generating some metadata useful for identifying the type of traffic, whereas the traffic accounting could be done by different equipment (e.g. a router enabled with Netflow) .
  • the complexity of DPI equipment can be reduced and building real-time traffic characterization systems which scale well in networks with high traffic volumes is made possible.
  • DPI equipment would not need to keep state of all identified flows for traffic accounting,- so its memory and processing requirements will be lower. Traffic accounting could be done by systems such as Netflow collectors, which are commonly used and deployed in operators' " networks. This reduction of complexity in the DPI equipment would imply operators' CAPEX savings. Also, due to the reduction of complexity in the DPI equipment, the functionality of detection and classification could be transferred to specific router cards, thus eliminating the need of new equipment and, consequently, decreasing the OPEX associated to manage one or more DPI equipments per network Point of presence (PoP) .
  • PoP Point of presence
  • the traffic classification becomes more flexible since it is possible to add rules for metadata generation that can help to re-classify in a second stage traffic that was classified in a first stage as unknown.
  • This is not possible nowadays with the DPI equipment.
  • the metadata information can be used for purposes other than traffic classification.
  • Statistics of visited hosts could be generated from metadata information which includes the hosts of the HTTP GET requests.
  • Another example of useful information that could be extracted as metadata is the codec rates of videos embedded in web pages, whose distribution could allow predicting increases in network traffic due to changes in codec rates.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention procure un processus permettant la surveillance d'un trafic comprenant les étapes consistant à classer des informations soit comme pertinentes pour le classement du trafic, soit comme pertinentes pour la mesure du trafic, à générer des métadonnées fondées sur les informations pertinentes pour le classement du trafic, ces informations sous forme de métadonnées comprenant les données nécessaires pour classer ce paquet ou flux en une application ou un service spécifique, ainsi qu'à exporter les métadonnées générées par l'intermédiaire d'une interface conçue pour mémoriser et/ou envoyer les métadonnées vers un autre dispositif ou module. Ce processus réduit la complexité d'un équipement formant interface DPI et permet de construire des systèmes de caractérisation de trafic en temps réel qui s'adaptent aisément à des réseaux présentant des volumes de trafic élevés.
EP09850771.8A 2009-10-29 2009-10-29 Procédé de surveillance d'un trafic de réseau au moyen de métadonnées descriptives Withdrawn EP2494744A4 (fr)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2009/007474 WO2011051750A2 (fr) 2009-10-29 2009-10-29 Procédé de surveillance d'un trafic de réseau au moyen de métadonnées descriptives

Publications (2)

Publication Number Publication Date
EP2494744A2 true EP2494744A2 (fr) 2012-09-05
EP2494744A4 EP2494744A4 (fr) 2014-12-10

Family

ID=43503085

Family Applications (1)

Application Number Title Priority Date Filing Date
EP09850771.8A Withdrawn EP2494744A4 (fr) 2009-10-29 2009-10-29 Procédé de surveillance d'un trafic de réseau au moyen de métadonnées descriptives

Country Status (6)

Country Link
EP (1) EP2494744A4 (fr)
CN (1) CN102648604B (fr)
AR (1) AR078823A1 (fr)
BR (1) BR112012010045A2 (fr)
UY (1) UY32981A (fr)
WO (1) WO2011051750A2 (fr)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ES2568602T3 (es) * 2011-09-28 2016-05-03 Telefónica S.A. Un método para minimizar el posprocesamiento del tráfico de red
US8441961B1 (en) 2012-12-24 2013-05-14 Sideband Networks, Inc. Metadata-driven switch network control
US9386103B2 (en) 2013-10-04 2016-07-05 Breakingpoint Systems, Inc. Application identification and dynamic signature generation for managing network communications
US9742881B2 (en) * 2014-06-30 2017-08-22 Nicira, Inc. Network virtualization using just-in-time distributed capability for classification encoding
US10582027B2 (en) * 2017-11-04 2020-03-03 Cisco Technology, Inc. In-band metadata export and removal at intermediate nodes
US11677668B1 (en) * 2020-08-31 2023-06-13 National Technology & Engineering Solutions Of Sandia, Llc Transparent application-layer/os deeper packet inspector

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ATE496341T1 (de) * 1999-06-30 2011-02-15 Apptitude Inc Verfahren und gerät um den netzwerkverkehr zu überwachen
KR100523486B1 (ko) * 2002-12-13 2005-10-24 한국전자통신연구원 트래픽 측정 시스템 및 그의 트래픽 분석 방법
US7321565B2 (en) * 2003-08-29 2008-01-22 Ineoquest Technologies System and method for analyzing the performance of multiple transportation streams of streaming media in packet-based networks
US7773598B2 (en) * 2004-12-21 2010-08-10 Telefonaktiebolaget L M Ericsson (Publ) Arrangement and a method relating to flow of packets in communications systems
US7782793B2 (en) * 2005-09-15 2010-08-24 Alcatel Lucent Statistical trace-based methods for real-time traffic classification
US7805510B2 (en) * 2006-05-11 2010-09-28 Computer Associates Think, Inc. Hierarchy for characterizing interactions with an application
US8179895B2 (en) * 2006-08-01 2012-05-15 Tekelec Methods, systems, and computer program products for monitoring tunneled internet protocol (IP) traffic on a high bandwidth IP network
US7995477B2 (en) * 2007-05-08 2011-08-09 Cisco Technology, Inc. Collecting network traffic information

Also Published As

Publication number Publication date
EP2494744A4 (fr) 2014-12-10
CN102648604B (zh) 2015-12-16
AR078823A1 (es) 2011-12-07
UY32981A (es) 2011-01-31
WO2011051750A3 (fr) 2011-11-24
CN102648604A (zh) 2012-08-22
WO2011051750A2 (fr) 2011-05-05
BR112012010045A2 (pt) 2016-05-24

Similar Documents

Publication Publication Date Title
Amaral et al. Machine learning in software defined networks: Data collection and traffic classification
Wang et al. A framework for QoS-aware traffic classification using semi-supervised machine learning in SDNs
US7644150B1 (en) System and method for network traffic management
CN102315974B (zh) 基于层次化特征分析的tcp、udp流量在线识别方法和装置
EP1742416B1 (fr) Procédé, medium capable d'être lu par ordinateur et système pour l'analyse et la gestion de traffic d'applications sur réseaux
US20210194894A1 (en) Packet metadata capture in a software-defined network
Este et al. On the stability of the information carried by traffic flow features at the packet level
CN115150278B (zh) 使用数据处理单元(dpu)作为基于图形处理单元(gpu)的机器学习的预处理器
US20200186547A1 (en) Detecting encrypted malware with splt-based deep networks
CN110855493B (zh) 用于混合环境的应用拓扑图绘制装置
CN110266556A (zh) 动态检测网络中的业务异常的方法和系统
EP2494744A2 (fr) Procédé de surveillance d'un trafic de réseau au moyen de métadonnées descriptives
US8130767B2 (en) Method and apparatus for aggregating network traffic flows
CN113542049A (zh) 检测计算机网络内丢的包的方法、网络装置以及存储介质
US20190124094A1 (en) Active prioritization of investigation targets in network security
US20160248652A1 (en) System and method for classifying and managing applications over compressed or encrypted traffic
WO2006120040A1 (fr) Analyse de trafic sur reseaux haute vitesse
US20250358189A1 (en) Systems and methods for network policy enforcement
US20090252041A1 (en) Optimized statistics processing in integrated DPI service-oriented router deployments
CN112165400A (zh) 一种基于网络延迟对数据网络故障排查的系统
Pekar et al. Towards threshold‐agnostic heavy‐hitter classification
Morel et al. Network services management using programmable data planes for visual cloud computing
Polverini et al. Investigating on black holes in segment routing networks: Identification and detection
JP4246238B2 (ja) トラフィック情報の配信及び収集方法
US7983164B2 (en) Apparatus and method for merging internet traffic mirrored from multiple links

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20120529

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR

DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20141111

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 12/70 20130101AFI20141105BHEP

Ipc: H04L 12/26 20060101ALI20141105BHEP

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20170125

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20170607