Empirical analysis of traffic to establish a profiled flow termination timeout

The exponential increase of bandwidth on the Internet has made the online traffic classification a highly exigent task. All the operations in the classification process must be efficiently implemented in order to deal with an enormous amount of data. A key point in this process is the selection of a flow termination, a decision that has important consequences for several traffic classification techniques (e.g., DPI-based, Machine Learning-based). For instance, properly expiring the flows reduces the amount of memory necessary and avoids erroneous computation of flow features. In addition, the heterogeneous behaviour of the applications on the Internet have dismissed the traditional techniques to determine the flow termination (i.e., TCP 3/4-way handshake, TCP timeout). In this paper, we first perform a comprehensive study of the flow termination by application groups. Results confirm that traditional techniques are no longer sufficient to determine the flow termination (i.e., <;50% finish with TCP handshake for some groups). In order to address this new scenario we propose a profiled (i.e., by application group) flow termination timeout. This solution has been evaluated in a well-known commercial DPI tool (the Ipoque's PACE engine) achieving a drastic reduction of memory, while keeping the same computation cost and classification accuracy. In order to obtain representative results, two completely different traces have been analysed, one from the core network of a large ISP and another from the edge link of a mobile operator.
Peer Reviewed
Postprint (published version)