Research: OpenDPI Performance; How many Packets Needed to Identify Applications?

29 Jan

New research by Jawad Khalife and Amjad Hajjar (pictured), Lebanese University/Faculty of Engineering, IT department, Beirut, Lebanon and Jesús Díaz-Verdejo, University of Granada/Department of Signal Processing, Telematics and Communication, Granada, Spain looks at the performance of OpenDPI (see also “nDPI Supports Skype, Whatsapp and Netflix” – here).

Abstract

The identification of the nature of the traffic flowing through a TCP/IP network is a relevant target for traffic engineering and security related tasks. Despite the privacy concerns it arises, Deep Packet Inspection (DPI) is one of the most successful current techniques. Nevertheless, the performance of DPI is strongly limited by computational issues related to the huge amount of data it needs to handle, both in terms of number of packets and the length of the packets. One way to reduce the computational overhead with identification techniques is to sample the traffic being monitored. This paper addresses the sensitivity of OpenDPI, one of the most powerful freely available DPI systems, with sampled network traffic. Two sampling techniques are applied and compared: the per-packet payload sampling, and the per-flow packet sampling. Based on the obtained results, some conclusions are drawn to show how far DPI methods could be optimised through traffic sampling.

One finding relates to the number of packet the classifier needs to see in order to correctly classify applications, which significantly affect the system performance:

The average packet detection number in the dataset is shown in Fig. 6  for most common protocols. Some protocols like iMESH and Bittorrent, show higher values than other protocols. We validated the fact that the presence of most deviation is due to flows that were under course during the start of the capture. Most protocols averages were below 10 packets .. As a result for per-flow sampling, studied in this section, inspecting the first 4 to 10 packets of a flow (as DPI input for inspection) could maintain the flow classification accuracy at high levels ranging from 90% to 99%. 

In choosing the appropriate value of Nmin for the classifier, two situations should be distinguished according to the classification target: If the target is to classify only one specific protocol, Nmin could be easily specified according to Fig. 6 (e.g. for  HTTP, Nmin=4). In this case, the classifier would inspect only the minimum number of packets, necessary for flow classification. However, if the target is to classify all protocols, which is the most common situation, Nmin should be assigned the maximum value of the average packet detection number (Nmin=10) in order to classify most protocols. In this case, and for protocols whose average packet detection number is lower than Nmin, the classifier would inspect more packets than necessary.

See “Performance of OpenDPI in Identifying Sampled Network Traffic” – here.
Source: http://broabandtrafficmanagement.blogspot.nl/2013_01_01_archive.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: