Harnessing the power of AI to enhance Deep Packet Inspection capabilities

Decomposition is a novel technology for service-level traffic stream quantification, which complements and enhances current traffic classification solutions that are heavily based on Deep Packet Inspection (DPI).

Examining network traffic through DPI can be expensive, as it requires high-performance computing platforms or dedicated hardware to process individual packets at ever increasing line rates. DPI faces further challenges when confronted to the growing adoption of security and privacy measures such as data traffic encryption techniques (including HTTPS, VPN tunnelling, etc.) that limit ability to directly inspect traffic.

Traffic decomposition leverages cutting-edge machine learning techniques to disentangle the overall traffic volume observed at a given network entity (e.g., NB, MEC facility, etc.) into the underlying service-level demands (e.g., YouTube, Facebook, Google services, etc.). Therefore, decomposition can opportunistically replace the heavy compute load demand of DPI with lightweight inference via a neural network model that only ingests metadata. By summarising aggregate traffic volumes, this approach offers gains of several orders of magnitude in terms of computing resource usage, and substantial reductions of the cost of high-throughput traffic classification.

While decomposition is a data-driven approach that requires traffic classification labels during the learning phase, once trained, it unlocks a range of possibilities that are not available solely through DPI. For instance, decomposition scales with the deployment size and can be applied extensively, owing to its low compute footprint. As a matter of fact, standard DPI and classification solutions typically run at specific points in the network as they are compute-intensive. Instead, and thanks to its lightweight nature, our decomposition technology can be run at a much finer geographic granularity, and possibly operate at the level of individual switches, thus offering enhanced visibility on the network status over existing solutions.

Scalability with growing data rates

State-of-the-art DPI solutions are expected to inspect up to 10Gbps per CPU core. Microscope, our decomposition engine, can process and disaggregate hundreds of Gbps per core, and can scale to even larger volumes with ease. This is because Microscope does not inspect individual (sampled) packets but receives as input time series of the aggregate traffic; also, Microscope produces service-level traffic volumes (aggregated over all flows for each service) directly. Overall, Microscope’s complexity only grows with the number of network elements to be monitored in parallel, and has constant cost (compute, energy) with respect to the volume of traffic generated at each of those elements.

Accuracy

Microscope outputs the current or future (if combined with our dedicated forecasting module) service-level traffic volumes using a neural network, which is an approximation model and thus may entail inherent accuracy limitations. However, evaluations conducted with real- world measurement traffic collected in a metropolitan-scale RAN demonstrate less than 1% Normalised Mean Absolute Error (NMAE) when compared against the ground-truth data provided by the operator and obtained with DPI.

Training

Microscope builds on a data-driven model, hence employs labelled measurements in order to learn to decompose service-level traffic. A relevant performance metric for such type of models is re-training frequency. Experiments with real-world measurement traffic collected in a metropolitan-scale RAN for the most popular 20 services (accounting for over 70% of the total network traffic load) showed that Microscope decomposition results stay accurate for at least 8 weeks, implying very limited re-training frequency and costs.

Summary

• Extends and complements existing DPI systems, where DPI can be used to provide ongoing training and categorisation, with AI/ML based Microscope providing extensive, wide area bulk data analysis.
• Will scale with the exponential growth of data in both wireless and fixed networks with application to broader networks such as SDWAN.
• Provides analytics even for encrypted traffic giving valuable insight into all streams without compromising data integrity or security.
• Offers real-time operation, low compute overhead, cost effectiveness, extensibility and native cloud-based implementation, which jointly enable widespread deployment of the solution so as to produce live and high-resolution insights into the network behaviour.

Case Study

Successive generations of mobile technology continue to add complexity with an increasing number of services competing for resources, including voice over IP and data services ranging from video streaming to social media and real time gaming. Monitoring the resultant torrent of data and identifying services affecting network behaviour is increasingly difficult, time consuming and resource intensive. Network engineers are already overtasked with identifying and resolving problems, and automated solutions are needed to free up these valuable resources for problem correction rather than identification.

Net AI cloud-native analytics solution uses advanced AI/ML, to tame the torrent of data, feeding high level metadata into an AI engine and providing real-time insights on anomalous patterns and other services affecting events. Problems can be rapidly identified and evolving behaviours such as localised video load forecast before they affect performance. Network-wide real-time analytics help engineers prioritise their efforts and bring other tools to further identify and resolve issues without consuming huge amounts of compute resources or dedicated hardware, allowing to and focus engineering time on network performance optimisation.