Traffic Classification with Deep Neural Networks – Part 1

Enterprise Class Security Firewall

Enterprise Class Security Firewall

Hi everyone! Today I’m going to talk about Traffic Classification. In a previous life, I worked for a couple of computer networking manufacturers and before that I graduated from UCI with a specialization in Computer Networking. In short, this topic is quite near and dear to my heart. Being an avid gamer, my mind wonders, “Is there a fast and accurate solution that can classify traffic to help guarantee quality of service or application performance?”. In a world where each household can have dozens of connected devices with multiple types of applications on each device, how and where should we optimize all that traffic? The answer lies in the gateway/router, where all the traffic must past through. Here are the design questions I will try to answer during my research on this topic.

  • Can we design a model that can classify real-time sensitive applications (gaming, voice chat, video chat) over all others?
  • Can that model have equal or better accuracy compared to traditional methods?Can inference performance classify traffic in real-time?
  • How fast can we get?
  • Does today’s consumer router hardware have the performance needed to run inference models in real-time?

Application Hierarchy

The goal of this exercise is to focus on applications that are highly sensitive to lag and jitter. Here are the three major applications I can think of (if you know of others feel free to leave a comment!):

  • Gaming – Especially with multi-player games and Player vs. Player games, lag can mean the difference between life and death (in the game of course). Having the ability to prioritize this traffic first over others could help improve the gaming experience.
  • Voice Chat and VoIP– Because voice occurs mostly in real-time, any lag will severely impair the ability to converse. You can’t buffer the conversation and any gaps or dead air will lead to a frustrating user experience.
  • Video Chat – This is a combination of Voice and Video, but I would still put Voice at a higher priority. A couple of lost pixels or stutters will still allow your brain to fill in the gaps visually. Dead air is much harder to deal with during a voice conversation.

What about everything else? Well HTTP, FTP, Bit-torrent, Music and Video streaming are all not really sensitive to lag. Video and Music can be buffered, with the exception of live TV streaming. But even that tends to lag behind a traditional video feed from an antenna or a cable box so your “live” stream can still be behind. In my opinion, all of these other things can be put in a best effort queue to fight amongst themselves. Or you can make a Medium and a Low priority queue for Video and everything else respectively while time sensitive applications can go into a High priority queue to be sent out first.

Traditional Methods

TCP/IP Packet
Anatomy of a TCP/IP Packet

The two major methods of traffic classification before the advent of AI models are Port Based and Deep Packet Inspection (DPI).

  • Port Based – [Pros] Fast and easy. This only requires checking the application port of a packet and making a prediction against that port number. Both the Internet Assigned Numbers Authority (IANA) and the Internet Engineering Task Force (IETF) have defined best practices for application port use. [Cons] These are guidelines, not strictly enforced rules. Applications can technically use any ports they want and overlap could occur often, leading to false-positives.
  • Deep Packet Inspection – [Pros] Predictions are more accurate based on pre-defined signatures which are checked against the packet payload/data. [Cons] Heavy investment on updating signatures whenever a new application comes out. Inspecting the payload of every packet also has a high performance cost, usually afforded by enterprise class security routers/gateways. Signature updates are enabled by pay for subscription models.

As you can see, both traditional methods are not ideal for the everyday consumer. Making predictions on attributes that are extremely dynamic like Application Port, IP Address or MAC Address does not make a lot of sense. Those attributes can also be easily spoofed or faked, which would circumvent the detection altogether. Deep Packet Inspection is more accurate but the resource cost is high, requiring dedicated enterprise class security hardware. Whats the solution? This is where Deep Learning comes in. If we can define an AI model that can accurately classify traffic with low resource requirements for inference in real-time, that will be the perfect storm for implementation into a consumer class router. That’s it for today! In Part 2, I will talk about datasets and how to find them. Stay tuned.

Sources:
http://iwqos2018.ieee-iwqos.org/files/2018/05/Byte_Segment_Neural_Network.pdf
https://arxiv.org/pdf/1709.02656.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.