Detecting VoIP Traffic Based on Human Conversation Patterns


Published on

Owing to the enormous growth of VoIP applications, an effective means of identifying VoIP is now essential for managing a number of network traffic issues, such as reserving bandwidth for VoIP traffic, assigning high priority for VoIP flows, or blocking VoIP calls to certain destinations. Because the protocols, port numbers, and codecs used by VoIP services are shifting toward proprietary, encrypted, and dynamic methods, traditional VoIP identification approaches, including port- and payload-based schemes, are now less effective. Developing a traffic identification scheme that can work for general VoIP flows is therefore of paramount importance.

In this paper, we propose a VoIP flow identification scheme based on the unique interaction pattern of human conversations. Our scheme is particularly useful for two reasons: 1) flow detection relies on human conversations rather than packet timing; thus, it is resistant to network variability; and 2) detection is based on a short sequence of voice activities rather than the whole packet stream. Hence, the scheme can operate as a traffic management module to provide QoS guarantees or block VoIP calls in real time. The performance evaluation, which is based on extensive real-life traffic traces, shows that the proposed method achieves an identification accuracy of 95% in the first 4 seconds of the detection period and 97% in 11 seconds.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Detecting VoIP Traffic Based on Human Conversation Patterns

  1. 1. Chen‐Chi Wu1, Kuan‐Ta Chen2 Yu‐Chun Chang1, Chin‐Laung Lei1 1Department of Electrical Engineering, National Taiwan University 2Institute of Information Science, Academia Sinica IPTComm 2008 1
  2. 2. Outline Motivation Methodology Performance evaluation Summary IPTComm 2008 2
  3. 3. Motivation VoIP is becoming popular because of Low call cost High voice quality Skype, a popular VoIP application over 10,000,000 concurrent users Accurately identifying VoIP flows from the network traffic  is required Traffic analysis Traffic management IPTComm 2008 3
  4. 4. Motivation Challenges of VoIP flows identification Various signaling protocols: SIP, H.323, various proprietary  protocols Non‐standard port numbers Packet payload encryption The interaction of human conversation is unique result in a specific characteristic of VoIP traffic IPTComm 2008 4
  5. 5. 4‐State Traffic Pattern Infer the on/off (talking/silence) pattern by the level of the  packet rate during a short period We model a two‐way conversation by a process of four states State A: a period that speaker A is talking and B is silent State B: B is talking and A is silent State D: both A and B are talking State M: mutual silence ON OFF ON OFF IPTComm 2008 5
  6. 6. Intuition behind Our Approach The 4‐state traffic pattern of VoIP traffic is unique  compared to that of other network applications Web P2P (BitTorrent) Online game (WoW) TELNET VoIP (Skype) A or B D M IPTComm 2008 6
  7. 7. Methodology Detect VoIP flows based on the unique human speech  conversation patterns embedded in voice traffic Derive features (attributes) from the conversation  patterns Adopt naïve Bayesian classifier, a supervised machine  learning tool, to divide traffic into the VoIP and non‐VoIP  class The class label of each training data is required IPTComm 2008 7
  8. 8. Methodology Overview Training phase Identification phase Incoming flows  Labeled training flows  (unknown class) (VoIP or non‐VoIP) Extract conversation patterns and derive Extract 4‐state traffic Naïve  features    patterns and derive Bayesian features    Classifier Flow vectors Learn classifier Classify parameters Flow vectors Flow labels (VoIP or non‐VoIP)  IPTComm 2008 8
  9. 9. Naïve Bayesian Classifier Naïve Bayesian classifier is based on the Bayes’ theorem P( B | A) P( A) P( A | B) = P( B) Each flow is represented by a vector  X = (x1, x2,…, xn),   depicting n features A1, A2,…, An Suppose there are m classes, C1, C2,…, Cm IPTComm 2008 9
  10. 10. Naïve Bayesian Classifier Given a flow vector X, the classifier predicts the flow  belongs to class Ci iff P (C i | X ) > P (C j | X ) for 1 ≤ j ≤ m, j ≠ i By Bayes’ theorem P( X | Ci ) P(Ci ) P(Ci | X ) = P( X ) P ( X ) is constant and             is the prior probability, thus  P (Ci ) the task is to maximize P ( X | Ci ) IPTComm 2008 10
  11. 11. Naïve Bayesian Classifier The naïve assumption is that the values of the features  are conditionally independent of one another n P ( X | C i ) = ∏ P ( x k | Ci ) k =1 = P( x1 | Ci ) × P ( x2 | Ci ) × × P ( x n | Ci ) P ( x1 | Ci ), P ( x2 | Ci ),..., P ( xn | Ci ) can be easily estimated  from the training data IPTComm 2008 11
  12. 12. How to derive features from the 4‐ state traffic pattern? Use a Markov chain to model the VoIP traffic pattern Statistics of traffic patterns Web P2P WoW TELNET VoIP A or B D M IPTComm 2008 12
  13. 13. Markov Chain Build a Markov chain model based on a set of known VoIP  traffic patterns Derive a feature – likelihood value Transition probabilities of the Markov chain A B D M A 0.9022 0.0028 0.0380 0.0571 B 0.0029 0.9030 0.0391 0.0550 D 0.0607 0.0592 0.8763 0.0038 M 0.0465 0.0439 0.0019 0.9078 4‐state Markov chain IPTComm 2008 13
  14. 14. Likelihood of Traffic Patterns Given a traffic pattern with a state sequence S1, S2,…, Sn,  where Si ∈ { A, B, D, M } Compute the log‐likelihood value as log( P , 2 × P2,3 × × P( n −1) n ) 1 Pi,j : the transition probability from Si to Sj Traffic flows may vary in length, thus define the  normalized log‐likelihood value as log( P , 2 × P2,3 × × P( n −1) n ) 1 N N: the length of the sequence IPTComm 2008 14
  15. 15. Likelihood of Traffic Patterns The Markov chain represents typical human conversation VoIP flows => large log‐likelihood value Non‐VoIP flows => low log‐likelihood value Exhibit non‐human‐like behavior: non‐interactive,  independent, unidirectional IPTComm 2008 15
  16. 16. Statistics of Traffic Patterns Mean of the period that party A (or B) is ON (talking) each  time (also compute the standard deviation) Bidirectional behavior Mean and standard deviation of the sojourn time in  states A, B, D, M, respectively Interactive behavior State alternation frequency Fragmented and disordered level of traffic pattern IPTComm 2008 16
  17. 17. Statistics of Traffic Patterns State alternation frequency Alternation frequency between different states E.g., (6 alternations between different states) / (20 sec.) IPTComm 2008 17
  18. 18. Feature Summary Feature set Normalized log‐likelihood value based on the Markov  chain Speech period of party A or B (mean, standard deviation) Sojourn time in each states* (mean, standard deviation) Ratio of sojourn time in each states* Alternation rate between states* *states A, B, D, M IPTComm 2008 18
  19. 19. Methodology Training phase Identification phase Incoming flows  Labeled training flows  (unknown class) (VoIP or non‐VoIP) Extract conversation patterns and derive Extract 4‐state traffic Naïve  features    patterns and derive Bayesian features    Classifier Flow vectors Learn classifier Classify parameters Flow vectors Flow labels (VoIP or non‐VoIP)  IPTComm 2008 19
  20. 20. Trace Collection We collected network traffic from 5 categories of  applications VoIP (Skype), TELNET, Web, P2P (BitTorrent), online game  (World of Warcraft) Category # Connections Duration # Packets Bytes VoIP 462 2,388 (min) 4,728,240 4,318 (MB) TELNET 2,008 4,729 (min) 10,559,261 7,331 (MB) Web 1,406 1,537 (min) 2,528,359 680 (MB) P2P 15,845 3,334 (min) 29,220,870 30,500 (MB) Online game 2,224 120 (min) 28,264,360 59,097 (MB) IPTComm 2008 20
  21. 21. Performance Evaluation Detect VoIP flows as early as possible Detection time is a major concern 95% accuracy with 4‐second detection time 97% accuracy with 11‐second detection time IPTComm 2008 21
  22. 22. Performance Evaluation Goal        detect VoIP flows VoIP flows         positives, non‐VoIP flows        negatives True positive rate The  number  of  VoIP  flows  correctly  identified TPR = The  number  of  total  VoIP  flows False positive rate The  number  of  non ‐ VoIP  flows  correctly  identified FPR = The  number  of  total  non ‐ VoIP  flows True negative rate IPTComm 2008 22
  23. 23. Performance Evaluation 97% TPR with a detection time longer than 3 sec. Flows of World of Warcraft tend to be mis‐identified Achieve 90% TNR with a detection time longer than 10 sec. IPTComm 2008 23
  24. 24. ROC Curves ROC (Receiver Operating Characteristic) IPTComm 2008 24
  25. 25. Summary Propose a VoIP flow identification scheme based on  human conversation patterns Our scheme yields an identification accuracy 95% within  4 sec. of the detection time, and 97% within 11 sec. High accuracy in short detection time IPTComm 2008 25
  26. 26. Thanks for your attention IPTComm 2008 26