Method and system for detecting a single data flow in an aggregate packet data flow and for identifying the application generating said single data flow

Abstract

The invention relates to a method and a system for detecting a single data flow in an aggregate packet data flow and identifying the application generating the single data flow, this single data flow being divided into messages, each message comprising a plurality of blocks, each block (g) having n bits for identifying 2n block values (i). The method comprises the steps of providing, for each block value (i), an expected frequency value (Ei), measuring, for a predefined number (G) of blocks (g), the values Formula (I) of frequency with which each block (g) identifies each block value (i) so as to obtain a plurality of measured frequency values Formula (I), processing, for each block (g), the measured frequency values Formula (I) and the expected frequency values (Ei) in order to generate a frequency deviation value Formula (II) representative of the deviation of the measured frequency values Formula (I) with respect to the expected frequency values (Ei), and processing the frequency deviation values Formula (II) generated for each block (g) with at least one frequency deviation threshold value (χth) in order to detect the single data flow and identify the application generating said single data flow.

Description

The present invention relates to a method and a system for detecting a single data flow in an aggregate packet data flow and for identifying the application generating the single data flow.

In the prior art, there is known the problem of detecting a single data flow in a packet data flow and of identifying the application generating that flow, for example identifying a single voice flow, and the application that generated it, in an aggregate traffic or flow on an IP network.

In particular, such a problem is known with reference to VoIP telephony in which a voice communication is set up over an IP network between two users using unknown and encrypted protocols. A typical example of software that generates voice data flow over an IP network is Skype.

The protocols and algorithms enabling Skype, and most voice programs, to generate voice data flow over an IP network are unknown and often encrypted and are based on encrypting the content.

For this reason it is very difficult to detect the presence of a single data flow generated by a particular application, such as for example Skype, in an aggregate data flow comprising flows generated by various types of applications, whether voice, data transport, video communications, etc.

From the above-described, there emerges the requirement to be capable of detecting the presence of a single data flow in an aggregate packet data flow and of identifying the application generating the single data flow without knowledge of the protocols and algorithms used by the application itself to generate the single data flow and to include such a single data flow in the aggregate packet data flow.

In view of the prior art described, the aim of the present invention is to implement a method and a system for detecting a single data flow in an aggregate packet data flow and identifying the application generating the single data flow, capable of overcoming the drawbacks present in the prior art.

According to the present invention, such an aim is achieved by a method for detecting a single data flow in an aggregate packet data flow and identifying the application generating the single data flow, according to claim 1.

By virtue of the present invention, it is possible to obtain a method for detecting a single data flow in an aggregate packet data flow and identifying the application generating the single data flow over an IP network using a simple technique.

According to a further aspect of the present invention, such an aim is achieved by a system for detecting a single data flow in an aggregate packet data flow and identifying the application generating the single data flow, according to claim 6.

Other features and advantages of the method and system for detecting a single data flow in an aggregate packet data flow and identifying the application generating the single data flow, according to the present invention, will become clear from the following description of a preferred example embodiment, given by way of indication and in a non-limiting manner, with reference to the appended drawings, in which:

FIG. 1 shows a block diagram explaining the method and system for detecting a single data flow in an aggregate packet data flow and identifying the application generating the single data flow according to the present invention,

FIG. 2 shows frequency deviation distributions processed for deterministic, random and mixed blocks of bits.

Hereafter in the present description statistical functions for measuring the frequency deviation will be used, in particular the Pearson chi-square function. The Pearson chi-square statistical function is illustrated below.

The Pearson chi-square function provides for checking whether the behaviour of an object, observed for a finite number of times, follows an expected behaviour.

This is carried out by calculating the deviation of the measured values of the object with respect to the expected distribution of values of the object.

It is assumed for example that an object is observed for a number of times N_TOT and that the object under observation can take N possible outputs or values for each observation.

If the expected distribution of values is such that the value i, where recurs with a probability p_i, then the expected number of events or frequency of i is given by the relationship E_i=N_TOTp_i. With O_i representing the number of events or frequency of i actually observed during the observation, then the value

${\chi }^2=\sum _{i=0}^{N-1}\frac{{\left(O_i-E_i\right)}^2}{E_i}$

represents a measurement of the deviation of the observed behaviour with respect to the expected behaviour, i.e. of the observed frequency with respect to the expected frequency.

If the observed object behaves as expected, then the value of χ² is distributed according to a chi-square distribution with N−1 degrees of freedom.

The chi-square function can be used even for a single observation. In particular, it is assumed that the value of the observed object is distributed with probabilities p_i.

In the case in point of an aggregate packet data flow, the packet data flow is generated by a specific generating application and is divided into messages, each message comprising a plurality of blocks g.

Each block g of the plurality of blocks has n bits for identifying 2ⁿ block values i, for example i=0, 1, 2, . . . , 2ⁿ−1.

With reference to the appended drawings, the method for detecting a single data flow in an aggregate packet data flow and identifying the application generating the single data flow comprises the steps of:

a) providing, for each block value i, an expected frequency value E_i,

b) measuring, for a predefined number G of blocks g of the plurality of blocks, i.e. for Gn bits, the values O_i^g of frequency with which each block g assumes each block value i so as to obtain a plurality of measured frequency values O_i^g,

c) processing, for each block g, the measured frequency values O_i^g and the expected frequency values E_i in order to generate a frequency deviation value χ_g² representative of the deviation of the plurality of measured frequency values O_i^g with respect to the expected frequency values E_i,

d) processing the frequency deviation values χ_g² generated for each block g with at least one frequency deviation threshold value χ_th in order to detect the presence of a single data flow in said aggregate packet data flow and identify the application generating the single data flow.

The single data flow can be both a voice flow and a peer-to-peer (P2P) flow.

In particular, as will be described in detail below, step d) enables the source generating the single data flow, i.e. the application used to generate the detected single data flow, to be determined.

According to one embodiment, step d) comprises the steps of:

d1) processing the frequency deviation values χ_g² generated for each block g in order to generate at least one reference frequency deviation value χ_ref for said predefined number of blocks G, and

d2) comparing these generated reference frequency deviation values χ_ref with the frequency deviation threshold value χ_th in order to determine the source generating the single data flow.

According to one embodiment, step c) comprises the step of applying the plurality of measured frequency values O_i^g and the expected frequency values E_i to a function of statistical measurement of the frequency deviation.

In particular, the function of statistical measurement of the frequency deviation can be chosen from one of the functions of entropy, mean, variance, chi-square and similar.

In this case, the chi-square function is chosen, expressed by the following formula:

${\chi }_g^2=\sum _{i=0}^{2^n-1}\frac{{\left(O_i^g-E_i\right)}^2}{E_i}$

where

χ_g² corresponds to the frequency deviation value χ_g²,

O_i^g corresponds to the plurality of measured frequency values O_i^g, and

E_i corresponds to the expected frequency values E_i.

The expected frequency values E_i can be obtained as a function of the application which is desired to be identified, or, in the absence of such information a priori, can be distributed uniformly.

With reference to the appended drawings, there is described hereafter the application of the method according to the invention for detecting a single data flow generated by a Voice over IP application, Skype, in an aggregate packet data flow and identifying such an application generating the single data flow.

Since Skype is a closed and proprietary program which uses encryption algorithms, it is not possible to identify a data flow generated by Skype using conventional techniques for analyzing the contents of packets.

However, there is an important difference regarding messages introduced into a network according to the transport protocol underneath used.

For example, the TCP protocol implements a connection-oriented transmission protocol and therefore guarantees that all the segments of data are received in the same sequence as when they are introduced into the network, possibly with a delay.

However the connectionless service for a connection provided by the UDP protocol does not guarantee the delivery of all the data and in the same sequence as when the data items were introduced.

Consequently, a Skype encoder cannot encrypt the whole message but must allow the Skype receiver to extract from the application layer header some additional information for detecting and managing any messages that are lost or delivered out of sequence to the receiver.

This information cannot be protected by encryption but can only be obscured in such a way that it is easily identified upon reception. This portion of the message is called the Start of Message (SoM).

For example, when a message is transported over the TCP protocol, the entire content of the Skype message is encrypted and therefore the bytes of the message randomly take random values. On the other hand, in the case of transport over UDP, only a part of the message is distributed randomly while other parts exhibit statistical properties typical of deterministic data, for example the SoM.

The method described above provides for differentiating therefore the single data flow generated by Skype applications from data flows generated by other applications for generating a data or voice flow over IP, since such applications use different header formats resulting in different distributions of the bytes of the messages.

It is therefore necessary to check whether the frequency deviation values χ_g² are such as to satisfy the expected assumption. With this assumption expected, the content features of the message are used, which are summarized in the table below for messages of type End-to-End (E2E) over UDP, End-to-Out (E2O) over UDP and End-to-End or End-to-Out over TCP, where End-to-End represents traffic generated between two host terminals, each of which uses a Skype client, while End-to-Out represents traffic generated between a host terminal and a conventional PSTN terminal.

TABLE
Skype
method	Start of Message (SoM)	Payload
Byte position	1-2	3	4	5- . . .
E2E over	Random	Mixed	Random	Random
UDP
E2O over	Deterministic	Deterministic	Deterministic	Random
UDP
E2E-E2O	Random	Random	Random	Random
over TCP

For example, the E2E over UDP flow has bytes 1, 2 and 4 encrypted, i.e. random, while byte 3 contains some random bits and some constant bits (mixed in the table), and the start of message bytes of the E2O over UDP flow take deterministic values.

To determine whether a block has a random, deterministic or mixed distribution, the distribution of uniformly distributed bits is considered to be the expected distribution. In that case the expected frequency value E is equal to N_TOT/2ⁿ for all the block values i, where N_TOT is the number of messages analyzed belonging to the flow.

The generated frequency deviation values 4 are therefore compared with one or more thresholds derived from the chi-square distribution with 2ⁿ−1 degrees of freedom. These thresholds are indicated by χ_Rnd², χ_Mix² and χ_Det² for random, mixed and deterministic blocks respectively.

The values G, for the predefined number of blocks, and n number of bits can be fixed, for example at n=4 bits and G=16. In that case, this gives the reference chi-square distribution having 2ⁿ−1=15 degrees of freedom and E_i=N_TOT/16 for all the block values i=0, . . . , 15.

The generated frequency deviation values χ_g² and the reference frequency deviation values χ_Rnd², χ_Mix², and χ_Det² are compared for example as follows:

$-E2E\mathrm{over}\mathrm{UDP}$ $\underset{g\in G^{\prime }}{\max }{\chi }_g^2<{\chi }_{\mathrm{Rnd}}^2\bigwedge \underset{g\in \left\{5,6\right\}}{\min }{\chi }_g^2>{\chi }_{\mathrm{Mix}}^2$

where:

G′={g|1≦g≦G,g≠5,6} are the blocks g corresponding to the random part of the E2E message,

$\underset{g\in G^{\prime }}{\max }{\chi }_g^2$ is a first generated reference frequency deviation value,

$\underset{g\in \left\{5,6\right\}}{\min }{\chi }_g^2$ is a second generated reference frequency deviation value, and

χ_Rnd² and χ_Mix² are two frequency deviation threshold values.

In essence, it is expected that the blocks g with random distribution have uniform distribution and therefore the generated frequency deviation values χ_g² must be relatively low and therefore less than the frequency deviation threshold value χ_Rnd², and that the blocks g with mixed distribution containing some deterministic blocks have high generated frequency deviation values χ_g² and therefore greater than the frequency deviation threshold value χ_Mix².

$-E20\mathrm{over}\mathrm{UDP}$ $\underset{g\in 1,\dots ,8}{\max }{\chi }_g^2<{\chi }_{\mathrm{Det}}^2\bigwedge \underset{g=9,\dots ,16}{\max }{\chi }_g^2<{\chi }_{\mathrm{Rnd}}^2$

In this case, it is expected that the start of message SoM, i.e. the first 4 bytes, i.e. g=8 blocks of n=4 bits, is deterministic and that the remaining part is random, since the whole message is encrypted.

$-E2E-E20\mathrm{over}\mathrm{TCP}$ $\underset{g=1,\dots ,16}{\max }{\chi }_g^2<{\chi }_{\mathrm{Rnd}}^2$

In these cases, it is expected that all the blocks of bits have random distributions.

Advantageously, the number of messages belonging to the flow N_TOT is large. For example, the number N_TOT is such that the expected frequency value E_i≧5 for all the block values i. In the example stated here, this amounts to saying that

$\frac{N_{\mathrm{TOT}}}{2^n}\ge 5,$ i.e. N_TOT≧80 with n=4 bits.

It is also worthwhile noting that the difference between the generated frequency deviation values χ_g² for a deterministic or random block g increases as a function of the value of the number of messages belonging to the flow N_TOT.

For a deterministic block g:

$\begin{array}{c}{\chi }_g^2=\sum _{i=0}^{2^n-1}\frac{{\left(O_i^g-E_i\right)}^2}{E_i}\\ =\frac{{\left(N_{\mathrm{TOT}}-E\right)}^2+\left(2^n-1\right)E^2}{E}=\\ =N_{\mathrm{TOT}}\left(2^n-1\right).\end{array}$

Therefore χ_g² increases substantially linearly with N_TOT, therefore the greater the length of the flow, the greater N_TOT and the greater the expectation that the block g is deterministic, i.e. exceeds the reference threshold value χ_Det².

In the case of a mixed block g, if one bit is fixed and the others have random distributions, O_i=0 for half of the possible block values i, and O_i>0 for the remaining block values i. Since the possible values of i are 2ⁿ, the generated frequency deviation value χ_g² is:

$\begin{array}{c}{\chi }_g^2=\sum _{i=0}^{2^n-1}\frac{{\left(O_i^g-E_i\right)}^2}{E_i}\\ =\sum _{i=0}^{2^n-1}\frac{{\left(O_i^g-E\right)}^2}{E}+2^{n-1}\frac{E^2}{E}=\\ =2{\chi }_{2^{n-1}-1}^2+N_{\mathrm{TOT}}.\end{array}$

where χ_2n-1-1² is the chi-square function with 2^n-1−1 degrees of freedom. In other words, χ_2n-1-1² is a value which can be obtained from an observation of random bits with 2^n-1 possible bit values, rather than 2ⁿ possible values.

This means that in the case of a block g with a deterministic bit, χ_g² still increases linearly with N_TOT.

In FIG. 2 the generated frequency deviation values χ_g² are noted for blocks of mixed, random and deterministic bits on identified flows such as Skype flows. It can be observed how χ_g² increases linearly with N_TOT both for deterministic blocks and for mixed blocks, where for completely deterministic blocks it has a greater frequency deviation with respect to mixed blocks. In FIG. 2, the values χ_g² taken by random blocks that do not depend on N_TOT are also indicated. From FIG. 2, it is deduced that mixed, deterministic and random blocks can be differentiated from one another as a function of the generated frequency deviation values χ_g² and that the frequency deviation threshold values are not critical parameters for such an identification.

In the example, in order to reduce the number of parameters, one can set χ_Rnd²=χ_Mix²=χ_Det²=150.

The present invention also relates to a system for detecting a single data flow in an aggregate packet data flow and identifying the generating application in the single data flow. The system comprises storage means for storing, for each block value i, an expected frequency value E_i, and for storing a frequency deviation threshold value χ_th, and measurement means for measuring, for a predefined number G of blocks g of the plurality of blocks, the values O_i^g frequency with which each block g identifies each block value i for generating a plurality of measured frequency values O_i^g.

The system also comprises processing means in signal communication with the measurement means and with the storage means for processing, for each block g, the plurality of measured frequency values O_i^g and the expected frequency values E_i in order to generate a frequency deviation value χ_g² representative of the deviation of the plurality of measured frequency values O_i^g with respect to the expected frequency values E_i, and processing the frequency deviation values χ_g² generated for each block (g) with the frequency deviation threshold value χ_th in order to generate a signal representative of the presence of the single data flow in the aggregate packet data flow and representative of the application generating the single data flow.

Advantageously, the method and the system of the present invention can be used in combination with the method and the system for detecting voice data flow in a packet data flow described in Italian patent application no. MI 2006 A 002417 included here for reference.

In summary, the method and the system of Italian patent application MI 2006 A 002417 provide for the packet data flow to be able to be characterized by at least two measurable variables X,Y and provide, for each measurable variable X,Y, a distribution function P{x|C},P{y|C} for the values of each variable X,Y in a voice data flow. Next, the values x,y of each variable X,Y are measured to obtain a sequence of measured values x^(k), y^(k) on a number K of blocks and each measured value x^(k), y^(k) is applied to the respective distribution function P{x|C}, P{y|C} in order to generate a sequence of values of likelihood B_x^(k), B_y^(k) from which respective average likelihood values E[B_x], E[B_y] are generated. Lastly, these average values are processed to generate a reference likelihood value B which, compared with a threshold likelihood value B_min, provides for detecting the presence of voice data flow in the packet data flow.

From experiments that have been performed, it has emerged that the combined use of the method and system described in Italian patent application MI 2006 A 002417 and the method and system of the present invention is extremely effective in detecting and classifying any voice over IP traffic and in detecting and classifying voice traffic generated by a Skype application and transported either over UDP or over TCP. It was also demonstrated that both methods and both systems mentioned above exhibit a high level of robustness.

As can be appreciated from that which has been described above, the method and system according to the present invention provide for meeting the requirements and overcoming the drawbacks referred to in the introductory part of the present description with reference to the prior art.

In particular, the method and system according to the invention provide for detecting the presence of any type of voice flow, even an encrypted one.

Clearly, in order to satisfy the contingent and specific requirements, a person skilled in the art may introduce many modifications and variants to the method and system according to the invention described above, all however contained within the scope of protection of the invention, which scope of protection is defined by the following claims.

Claims

1. Method for detecting a single data flow in an aggregate packet data flow and for identifying an application generating said single data flow, said aggregate packet data flow being divided in messages, each message comprising a plurality of blocks, each block (g) of said plurality of blocks having n bits for identifying 2n possible block values (i), said method being characterized in that it comprises the following steps: a) providing, for each block value (i), an expected frequency value (Ei),b) measuring, for a predefined number (G) of blocks (g) of said plurality of blocks, the frequency values (Oig) which each block (g) identifies each block value (i) so as to obtain a plurality of measured frequency values (Oig),c) processing, for each block (g), said plurality of measured frequency values (Oig) and the expected frequency values (Ei) for generating a frequency deviation value (χg2) representative of the deviation of the plurality of measured frequency values (Oig) with respect to the expected frequency values (Ei),d) processing the frequency deviation values (χg2) generated for each block (g) with at least one frequency deviation threshold value (χth) for detecting said single data flow in said aggregate packet data flow and for identifying the application generating said single data flow.

2. Method according to claim 1, wherein said step d) comprises the steps of: d1) processing the frequency deviation values (χg2) generated for each block (g) for generating a reference frequency deviation value (χref) for said predefined number of blocks (G),d2) comparing said generated reference frequency deviation value (χref) with said at least one frequency deviation threshold value (χth) for identifying said application generating said single data flow.

3. Method according to claim 1 or 2, wherein said step c) comprises the step of applying the plurality of measured frequency values (Oig) and the expected frequency values (Ei) to a function of statistical measurement of the frequency deviation.

4. Method according with claim 3, wherein said function of statistical measurement of the frequency deviation is chosen between one of the function entropy, mean, variance, or chi square.

5. Method according to claim 3, wherein said function of statistical measurement of the frequency deviation is the chi-square function:

6. System for detecting a single data flow in an aggregate packet data flow and identifying an application generating said single data flow, said aggregate packet data flow being divided into messages, each message comprising a plurality of blocks, each block (g) of said plurality of blocks having n bits for identifying 2n possible block values (i), said system comprising: storage means for storing, for each block value (i), an expected frequency value (Ei) and for storing a frequency deviation threshold value (χth),measurement means for measuring, for a predefined number (G) of blocks (g) of said plurality of blocks, the values (Oig) of frequency with which each block (g) identifies each block value (i) in order to generate a plurality of measured frequency values (Oig),processing means in signal communication with said measurement means and with said storage means for:processing, for each block (g), said plurality of measured values (Oig) of frequency and the expected frequency values (Ei) in order to generate a frequency deviation value (χg2) representative of the deviation of the plurality of measured frequency values (Oig) with respect to the expected frequency values (Ei), andprocessing the frequency deviation values (χg2) generated for each block (g) with said at least one frequency deviation threshold value (χth) in order to generate a signal representative of the presence of said single data flow in said aggregate packet data flow and representative of the application generating said single data flow.

7. System according to claim 6, wherein said processing means are able to process the frequency deviation values (χg2) generated for each block (g) in order to generate a reference frequency deviation value (χref) for said predefined number of blocks (G), and compare said generated reference frequency deviation value (χref) with said at least one frequency deviation threshold value (χth) in order to identify said application generating said single data flow.

8. System according to claim 6 or 7, wherein said processing means are able to apply the plurality of measured frequency values (Oig) and the expected frequency values (Ei) to a function of statistical measurement of the frequency deviation in order to generate the frequency deviation value (χg2) representative of the deviation of the plurality of measured frequency values (Oig) with respect to the expected frequency values (Ei).

9. System according to claim 8, wherein said function of statistical measurement of the frequency deviation is chosen from among one of the functions of entropy, mean, variance, or chi-square.

10. System according to claim 8, wherein said function of statistical measurement of the frequency deviation is the chi-square function: