Monday, January 28, 2013

Research: OpenDPI Performance; How many Packets Needed to Identify Applications?

New research by Jawad Khalife and Amjad Hajjar (pictured), Lebanese University/Faculty of Engineering, IT department, Beirut, Lebanon and Jesús Díaz-Verdejo, University of Granada/Department of Signal Processing, Telematics and Communication, Granada, Spain looks at the performance of OpenDPI (see also "nDPI Supports Skype, Whatsapp and Netflix" - here).


The identification of the nature of the traffic flowing through a TCP/IP network is a relevant target for traffic engineering and security related tasks. Despite the privacy concerns it arises, Deep Packet Inspection (DPI) is one of the most successful current techniques. Nevertheless, the performance of DPI is strongly limited by computational issues related to the huge amount of data it needs to handle, both in terms of number of packets and the length of the packets. One way to reduce the computational overhead with identification techniques is to sample the traffic being monitored. This paper addresses the sensitivity of OpenDPI, one of the most powerful freely available DPI systems, with sampled network traffic. Two sampling techniques are applied and compared: the per-packet payload sampling, and the per-flow packet sampling. Based on the obtained results, some conclusions are drawn to show how far DPI methods could be optimised through traffic sampling.

One finding relates to the number of packet the classifier needs to see in order to correctly classify applications, which significantly affect the system performance:

 "The average packet detection number in the dataset is shown in Fig. 6  for most common protocols. Some protocols like iMESH and Bittorrent, show higher values than other protocols. We validated the fact that the presence of most deviation is due to flows that were under course during the start of the capture. Most protocols averages were below 10 packets .. As a result for per-flow sampling, studied in this section, inspecting the first 4 to 10 packets of a flow (as DPI input for inspection) could maintain the flow classification accuracy at high levels ranging from 90% to 99%. 

In choosing the appropriate value of Nmin 
for the 
classifier, two situations should be distinguished

according to the classification target:

If the target is to classify only one specific protocol, 
min could be easily specified according to Fig. 6 (e.g. for 
HTTP, Nmin=4). In this case, the classifier would inspect only the minimum number of packets, necessary for flow classification. However, if the target is to classify all protocols, which is the most common situation, Nmin should be assigned the maximum value of the average packet detection number (Nmin=10) in order to classify most protocols. In this case, and for protocols whose 
average packet detection number is lower than Nmin, the classifier would inspect more packets than necessary.
See "Performance of OpenDPI in Identifying Sampled Network Traffic" - here.

No comments:

Post a Comment