Detecting VoIP Traffic Based on Human Conversation Patterns
2 likes1,233 views
The document presents a scheme for identifying VoIP flows by analyzing unique human conversation patterns within voice traffic, utilizing a four-state traffic model. It achieves identification accuracy of 95% within 4 seconds and 97% within 11 seconds, making it effective for real-time traffic analysis. The methodology incorporates a naïve Bayesian classifier and Markov chain modeling to extract features and classify traffic as VoIP or non-VoIP.
Detecting VoIP Traffic Based on Human Conversation Patterns
- 1. Chen‐Chi Wu1, Kuan‐Ta Chen2 Yu‐Chun Chang1, Chin‐Laung Lei1 1Department of Electrical Engineering, National Taiwan University 2Institute of Information Science, Academia Sinica IPTComm 2008 1
- 2. Outline Motivation Methodology Performance evaluation Summary IPTComm 2008 2
- 3. Motivation VoIP is becoming popular because of Low call cost High voice quality Skype, a popular VoIP application over 10,000,000 concurrent users Accurately identifying VoIP flows from the network traffic is required Traffic analysis Traffic management IPTComm 2008 3
- 4. Motivation Challenges of VoIP flows identification Various signaling protocols: SIP, H.323, various proprietary protocols Non‐standard port numbers Packet payload encryption The interaction of human conversation is unique result in a specific characteristic of VoIP traffic IPTComm 2008 4
- 5. 4‐State Traffic Pattern Infer the on/off (talking/silence) pattern by the level of the packet rate during a short period We model a two‐way conversation by a process of four states State A: a period that speaker A is talking and B is silent State B: B is talking and A is silent State D: both A and B are talking State M: mutual silence ON OFF ON OFF IPTComm 2008 5
- 6. Intuition behind Our Approach The 4‐state traffic pattern of VoIP traffic is unique compared to that of other network applications Web P2P (BitTorrent) Online game (WoW) TELNET VoIP (Skype) A or B D M IPTComm 2008 6
- 7. Methodology Detect VoIP flows based on the unique human speech conversation patterns embedded in voice traffic Derive features (attributes) from the conversation patterns Adopt naïve Bayesian classifier, a supervised machine learning tool, to divide traffic into the VoIP and non‐VoIP class The class label of each training data is required IPTComm 2008 7
- 8. Methodology Overview Training phase Identification phase Incoming flows Labeled training flows (unknown class) (VoIP or non‐VoIP) Extract conversation patterns and derive Extract 4‐state traffic Naïve features patterns and derive Bayesian features Classifier Flow vectors Learn classifier Classify parameters Flow vectors Flow labels (VoIP or non‐VoIP) IPTComm 2008 8
- 9. Naïve Bayesian Classifier Naïve Bayesian classifier is based on the Bayes’ theorem P( B | A) P( A) P( A | B) = P( B) Each flow is represented by a vector X = (x1, x2,…, xn), depicting n features A1, A2,…, An Suppose there are m classes, C1, C2,…, Cm IPTComm 2008 9
- 10. Naïve Bayesian Classifier Given a flow vector X, the classifier predicts the flow belongs to class Ci iff P (C i | X ) > P (C j | X ) for 1 ≤ j ≤ m, j ≠ i By Bayes’ theorem P( X | Ci ) P(Ci ) P(Ci | X ) = P( X ) P ( X ) is constant and is the prior probability, thus P (Ci ) the task is to maximize P ( X | Ci ) IPTComm 2008 10
- 11. Naïve Bayesian Classifier The naïve assumption is that the values of the features are conditionally independent of one another n P ( X | C i ) = ∏ P ( x k | Ci ) k =1 = P( x1 | Ci ) × P ( x2 | Ci ) × × P ( x n | Ci ) P ( x1 | Ci ), P ( x2 | Ci ),..., P ( xn | Ci ) can be easily estimated from the training data IPTComm 2008 11
- 12. How to derive features from the 4‐ state traffic pattern? Use a Markov chain to model the VoIP traffic pattern Statistics of traffic patterns Web P2P WoW TELNET VoIP A or B D M IPTComm 2008 12
- 13. Markov Chain Build a Markov chain model based on a set of known VoIP traffic patterns Derive a feature – likelihood value Transition probabilities of the Markov chain A B D M A 0.9022 0.0028 0.0380 0.0571 B 0.0029 0.9030 0.0391 0.0550 D 0.0607 0.0592 0.8763 0.0038 M 0.0465 0.0439 0.0019 0.9078 4‐state Markov chain IPTComm 2008 13
- 14. Likelihood of Traffic Patterns Given a traffic pattern with a state sequence S1, S2,…, Sn, where Si ∈ { A, B, D, M } Compute the log‐likelihood value as log( P , 2 × P2,3 × × P( n −1) n ) 1 Pi,j : the transition probability from Si to Sj Traffic flows may vary in length, thus define the normalized log‐likelihood value as log( P , 2 × P2,3 × × P( n −1) n ) 1 N N: the length of the sequence IPTComm 2008 14
- 15. Likelihood of Traffic Patterns The Markov chain represents typical human conversation VoIP flows => large log‐likelihood value Non‐VoIP flows => low log‐likelihood value Exhibit non‐human‐like behavior: non‐interactive, independent, unidirectional IPTComm 2008 15
- 16. Statistics of Traffic Patterns Mean of the period that party A (or B) is ON (talking) each time (also compute the standard deviation) Bidirectional behavior Mean and standard deviation of the sojourn time in states A, B, D, M, respectively Interactive behavior State alternation frequency Fragmented and disordered level of traffic pattern IPTComm 2008 16
- 17. Statistics of Traffic Patterns State alternation frequency Alternation frequency between different states E.g., (6 alternations between different states) / (20 sec.) IPTComm 2008 17
- 18. Feature Summary Feature set Normalized log‐likelihood value based on the Markov chain Speech period of party A or B (mean, standard deviation) Sojourn time in each states* (mean, standard deviation) Ratio of sojourn time in each states* Alternation rate between states* *states A, B, D, M IPTComm 2008 18
- 19. Methodology Training phase Identification phase Incoming flows Labeled training flows (unknown class) (VoIP or non‐VoIP) Extract conversation patterns and derive Extract 4‐state traffic Naïve features patterns and derive Bayesian features Classifier Flow vectors Learn classifier Classify parameters Flow vectors Flow labels (VoIP or non‐VoIP) IPTComm 2008 19
- 20. Trace Collection We collected network traffic from 5 categories of applications VoIP (Skype), TELNET, Web, P2P (BitTorrent), online game (World of Warcraft) Category # Connections Duration # Packets Bytes VoIP 462 2,388 (min) 4,728,240 4,318 (MB) TELNET 2,008 4,729 (min) 10,559,261 7,331 (MB) Web 1,406 1,537 (min) 2,528,359 680 (MB) P2P 15,845 3,334 (min) 29,220,870 30,500 (MB) Online game 2,224 120 (min) 28,264,360 59,097 (MB) IPTComm 2008 20
- 21. Performance Evaluation Detect VoIP flows as early as possible Detection time is a major concern 95% accuracy with 4‐second detection time 97% accuracy with 11‐second detection time IPTComm 2008 21
- 22. Performance Evaluation Goal detect VoIP flows VoIP flows positives, non‐VoIP flows negatives True positive rate The number of VoIP flows correctly identified TPR = The number of total VoIP flows False positive rate The number of non ‐ VoIP flows correctly identified FPR = The number of total non ‐ VoIP flows True negative rate IPTComm 2008 22
- 23. Performance Evaluation 97% TPR with a detection time longer than 3 sec. Flows of World of Warcraft tend to be mis‐identified Achieve 90% TNR with a detection time longer than 10 sec. IPTComm 2008 23
- 24. ROC Curves ROC (Receiver Operating Characteristic) IPTComm 2008 24
- 25. Summary Propose a VoIP flow identification scheme based on human conversation patterns Our scheme yields an identification accuracy 95% within 4 sec. of the detection time, and 97% within 11 sec. High accuracy in short detection time IPTComm 2008 25