Traffic Analysis
 bliet.jpg Effective Traffic Classification Method: Payload based and Behavioral Algorithm

Traffic classification algorithms currently deployed in packetLiner products fall in two categories: payload based algorithm and behavioral algorithm.
Payload based classification algorithm mainly focuses on how to tackle the well known problems such as (i) high sensitivity to packet loss and TCP/IP fragmentation and segmentation issues, (ii) hard and time-consuming task of creating protocol signatures, that are crucial to the effectiveness of the solution, (iii) encryption and/or tunneling that hinders access to data contained into application layer headers and payloads, (iv) significant requirements in terms of computational and memory resources that actually make traffic classification at high line rates difficult, (v) fast searching for patterns or regular expressions that can uniquely identify each protocol, (vi) classification of new protocols or applications that can be achieved by simply adding their description, without the necessity of any modification to the classification software itself, and (vii) a new method to solve the problem of unknown applications which possesses the capability of detecting unknown flows generated by unknown applications and utilizing the correlation information among
the previously unknown traffic registry to boost the classification performance.

[ Service Classification Method: Payload Analysis ]

Another approach to traffic classification relies on behavioral techniques, which can be further organized into three sub-categories: machine learning, statistical, and heuristic algorithm. packetLiner behavioral algorithm is one of heuristic algorithms which evaluate how each host acts within the network in order to identify the applications that hosts are running. Therefore behavioral algorithms work the same way independently of whether flows use encrypted payloads or not. However behavioral algorithms have some common limitations; first of all, most of them typically require a pre-classified traffic trace in order to train the classifier before it can start working. In packetLiner products, these pre-classified traces are usually classified using payload-based methods, manual inspections and human experience.

[ Service Classification Method: Behavioral Analysis ]


 bliet.jpg Subscriber, Service, and Application-aware Traffic Classification:
    Find Out Who Is Using Your Network, For What

Implementing subscriber, service, and application-aware traffic classification solutions enable CSPs to intelligently manage their data traffic, conserve network resources, and quickly deliver profitable services.
To achieve these, packetLiner traffic classification solution offers application layer context derived from session based data inspection as well as relation of the AAA and DNS systems. In other words, application layer context includes the identity of the user(who), the service or website that the user is trying to access(what), the origin of the access attempt(where), the time of the attempted access(when) and the properties of the device used for the access(how).

If one is using an internet service on a public or company system, how may packetLiner traffic classification determine who is the ISP or the web portal delivering the traffic? In HTTP, all these hints and guesses appear as a domain name string in the Host header field of HTTP request messages. As depicted in the following figure, in packetLiner traffic classification, after layer 7 protocol is identified and classified from TCP/UDP flows and connections, the application metadata extracted from that protocol is consequently organized into more detailed sub-classifications:
 • Layer 7 protocol = {tangoproto(1), kplayer(2), crazyfile(3), daumtvpotlive(4), …, gomtv(127) } where the members
   indicate the kinds of L7 protocols which packetLiner products can identify and classify
 • Internet Service = {tmembershop(1), naverse(2), kukinews(3), tangoproto(4), …, gomtv(887)} where the members
   indicate the names of internet services which packetLiner products can recognize
 • Web portal or Internet Service Provider = {trianglesquarem(1), hankyung(2), shop(3), enppy(4), …, jcube(472)} where
   the members indicate the names of ISPs which packetLiner products can recognize
 • User Devices = {mac(1), win7(2), lgphone(3), lggtv(4), …, linux(19)} where the members indicate the types of user
   devices or device OS which packetLiner products can recognize


[ Service Classification Method: Behavioral Analysis ]