Cpg2896110204 Itm en Appnote

7/25/2019 Cpg2896110204 Itm en Appnote

1/12

A P P L I C A T I O N N O T E

Intelligent Traffic ManagementProtecting the Subscribers QoE while Securing the Integrity of the Wireless Network


2/12

Abstract

With the widespread adoption of new smart devices and their applications, wireless service providersare facing a challenging environment in the advent of broadband wireless communications. Notonly is there an explosion of broadband data, but the way that these new applications are stressingthe network is unpredictable, transient, and at times unexpected. This has created an environmentwhere the monitoring and analytic tools of the legacy systems are no longer suitable to really

understand these new issues.

This paper first describes how the 9900 Wireless Network Guardian (WNG) is able to uniquelyunderstand the dynamics of wireless broadband data and correlate it hop-by-hop to device-specificIP packet flows. With this new insight (i.e., Wireless Network Intelligence), the wireless serviceprovider will be in a position to identify specific network anomalies down to the specific deviceand application that could compromise the mobile data experience of a valued subscriber andpotentially jeopardize the integrity of the network itself.

This paper then discusses how the 5780 Dynamic Services Controller (DSC) can leverage thisintelligence to create new business rules that can be dynamically triggered to protect the Quality ofExperience (QoE) of valued subscribers while bolstering the integrity of the wireless network. Finally,

this paper presents the solution called Intelligent Traffic Management (ITM) that representsthe integration between the 9900 WNG and the 5780 DSC and details the specific mechanicsbehind it.


3/12

Table of contents

1 1. The need for wireless network intelligence

2 2. Extracting wireless network intelligence using the 9900 Wireless

Network Guardian

3 3. Enriching policy decisions with the 5780 DSC and wirelessnetwork intelligence

4 4. Intelligent Traffic Management

4 4.1 A new breed of unwanted data traffic and anomalies

5 4.2 Intelligent Traffic Management

7 4.3 Heavy user use-case example

8 5. Conclusion

8 6. Abbreviations

8 7. Resources


4/12

Inte ll igent Traffic Management | Application Note 1

1. The need for wireless network intelligence

The explosion of smartphones, tablet computers, and other wireless-enabled devices, coupled withthe availability of thousands of new applications that leverage IP-based mobile data networks, iscreating a new and challenging environment for the wireless service provider. This environment isa lot more transient and unpredictable than traditional mobile voice networks and presents uniqueand complex challenges for service providers to maintain their subscribers QoE while securing the

integrity of their networks.

Today, service providers do have the visibility into segments of their network but it is not correlatedto the subscribers and their applications nor does it provide an end-to-end view. As a result, it isdifficult to identify and characterize the impact that specific sources (i.e., devices, local and Internetapplications, etc.) have on network capacity, performance, and security. Traditional radio managementtools can indicate when performance is bad or when a certain capacity is being exceeded, but theydo not explain why or which applications and/or devices are causing the problem.

Service providers also have other tools such as Deep Packet Inspection (DPI) that monitors andmanages core IP traffic, but they cannot identify and report on the impact that IP traffic has on aspecific Radio Access Network (RAN). Using these tools may result in corrective actions that

represent a more broad-brush approach that may not correct the situation and can negatively impactother subscribers and potentially degrade their service. This broad-brush approach can also squanderprecious network resources due to the lack of precision. For example, with some DPI approaches, ifthere is congestion in the RAN, service providers can choose to cap service delivery for an entireapplication class, thereby impacting customers who are not contributing to the issue; or serviceproviders might cap service across all traffic from certain subscribers, including applications thatare not creating problems.

To move away from these existing approaches, service providers have to gain an understanding ofthe specific interactions between device and application traffic and network performance/capacityand where these worlds overlap. As depicted in Figure 1, service providers need to fill in the blindspot that, up until now, has made it hard for them to identify the specific sources of subscriber-

impacting issues.

Figure 1. The blind spot facing wireless service providers today

Network loadingand performance

Subscriber wireless IPbroadband traffic

?


5/12

Intelligent Traffic Management | Application Note2

2. Extracting wireless network intelligence using the 9900 Wireless Network Guardian

The Alcatel-Lucent 9900 WNG provides a unique insight into this blind spot by understanding thereal-time capacity of all network elements and links. Combined with its application and deviceknowledge, the 9900 WNG can correlate each application flow to specific devices, elements, andlinks in the RAN, backhaul network, and packet core by following the end-to-end packet flow toand from the subscribers device.

This approach allows the 9900 WNG to passively monitor, in real-time, every subscribers dataexperience while automatically analyzing and identifying the root-cause issues such as anomalousevents (e.g. heavy users, signaling overloading, security threats, etc) that are contributing to asubscribers degraded experience.

This also enables the 9900 WNG to identify which network elements are capacity-constrained inthe dimensions of bandwidth, airtime exhaustion, and signaling overload right down to the cell sitelevel. It also makes clear the sources of these constraints in terms of users, applications, applicationservers and devices. This allows service providers to understand what is creating capacity constraintsand also what may be deteriorating performance. Figure 2 illustrates how the 9900 WNG correlateseach device and each application with every network hop to provide deep understanding of how

devices and applications impact the wireless network and how network performance impacts eachsubscribers QoE.

Figure 2. The 9900 WNG providing wireless network intelligence

With this deep and powerful level of correlation, unique insight or wireless network intelligencecan be used to empower service providers to proactively maintain a subscribers QoE while securingthe integrity of the network. The next section discusses how wireless network intelligence can beused to enrich policy decisions with the 5780 DSC.

9900 Wireless Network Guardianmultivendor, multi-technology, real-time

Impact of subscriberson network loading

Impact of performanceon subscriber QoE

Impact of network loadingon performance

Devices Network Applications


6/12


3. Enriching policy decisions with the 5780 DSC and wireless network intelligence

The Alcatel-Lucent 5780 Dynamic Services Controller (DSC) is a state-of-the-art decision engineproviding wireless service providers with the capabilities to map business demands and networkconstraints into easy-to-manage network policy rules. The decision engine uses a set of pre-definedservice provider-configured service policies combined with additional network (device details, accesstype, location), subscriber (service tier, entitlements, credit balance), system (state, time of day) and

application information (service description, traffic parameters) that it dynamically obtains fromits various standard interfaces to maximize the effectiveness of its policy decisions. Once policydecisions are dynamically synthesized by the decision engine, they are formulated into networkconsumable rules and sent to the network where they are instantiated and enforced for per-deviceper-application data plane treatment. Wireless network intelligence is a new breed of data that canbe used by the 5780 DSC to further enhance the operational capabilities of the service provider.

The logical evolution to maximize the value of this data involves using dynamic policy control toprovide policy-driven functions that can be delivered with velocity, scale, and operational efficiency.An integrated policy management solution would be able to establish flexible rules to dynamicallyexamine the highly varying conditions at each cell site and network hop which may vary greatlyfrom the events and traffic that are viewed from the core. Once a service provider-defined event or

network anomaly (heavy user, security threat, etc.) is identified and deemed to impact subscriberperformance, the policy engine can then trigger an action that would aim to address that condition.The action can be subscriber notification of the event to warn them of potential service deteriorationand to offer service options that are more aligned with their personal traffic usage patterns. Otheractions can be packet flow de-prioritization or even packet throttling. Figure 3 illustrates the5780 DSC and the sources of dynamic data that it uses to make policy decisions.

Figure 3. Enhancing the 5780 DSCs rules engine with wireless network intelligence

Wireless network intelligence

Per-subscriber, per-applicationreal-time performance,

network impact and anomalies Device details/ access type/location

Application details/

service description

Subscriber profile/service tier/

entitlements

Network details/updates

5780 DSCs

decision engine


7/12


The next section details Alcatel-Lucents Intelligent Traffic Management (ITM) solution, whichrepresents the integration of the 9900 WNG with the 5780 DSC to create the service providerbenefits outlined above.

4. Intelligent Traffic Management

4.1 A new breed of unwanted data traffic and anomalies

A new breed of unwanted data traffic and anomalies is taking a foothold in existing wirelessnetworks today that is causing havoc within the network while compromising a subscribers QoE.These anomalous events include, but are not limited to, devices, servers and applications that aresending virus-laden or virus-generated flows and performing denial of service (DoS) attacks. Thisunwanted traffic not only consumes bandwidth but may also consume valuable signaling andairtime resources.

In addition, this unwanted traffic does not contribute to revenue for the service provider and results innetwork capacity being consumed that could otherwise be used to improve and maintain a subscrib-ers QoE and bolster overall network performance and capacity. By eliminating or controlling thistraffic, OPEX cost savings would be realized since less troubleshooting and customer-care expenseswill be incurred. Moreover, CAPEX savings would also be realized since the existing capacity of the

network will be increased.

4.1.1 Unwanted or rogue traffic

Some of the more common sources of unwanted or rogue traffic that can be identified by the9900 WNG are:

Peer-to-peer (P2P) trafc a class of traffic from a specific device often associated with videodownloading that is typically very aggressive in nature and has a tendency to consume massiveamounts of broadband traffic in an unfair manner. During times of congestion this traffic maybe a candidate for action provided it imposes on other subscribers.

Always Active Airtime when users that have a constant wireless communications channel upthat exceeds normal airtime use attributed to voice or broadband data sessions.

Port scanning when a source (mobile device application/Internet server application) attemptsto cycle through TCP/UDP ports within a device/server or across many devices/servers toidentify an opening that could be used for an attack or denial of service.

Signaling attack when a source seeks to overload the control plane of a 3G/4G wireless networkusing low-volume attack traffic by repeatedly triggering radio channel allocations and revocations.

Battery attack when a malicious source commandeers a mobile devices communications channelto repeatedly awaken it from an idle low-power slumber into a state of readiness that saps itselectric power and consumes network resources.

4.1.2 Heavy users

In addition to the aforementioned traffic, every network has a set of non-malicious subscribers

who are consuming an unfair amount of network resources, thereby compromising the overallQoE of others.

The RAN, backhaul, and packet core elements provide QoS capabilities that deal specifically withreal-time congestion to provide packet prioritization while maximizing network and cell throughput.However, these functions are generally not subscriber, entitlement, and historical usage aware. Forexample, the RAN automatically distributes service equally among all user traffic within the sameQoS class regardless of the subscribers entitlements, historic traffic use, or potential involvement inan anomalous event (heavy user, security threat, etc). In many cases, all subscribers share a singleQoS group for their broadband traffic, opening up opportunities for heavy users to thrive and compro-mise the QoE of others with the same entitlements. The 9900 WNG is able to detect heavy datausers as well as heavy signaling users.


8/12


The next section shows how the sources of these anomalous events and heavy use are identified bythe 9900 WNG and reported to the 5780 DSC so that service provider-defined policies can triggeran action to alleviate these disruptive conditions.

4.2 Intelligent Traffic Management

ITM is a solution that identifies unwanted or rogue traffic in the wireless network through proactivereal-time network measurement and analytics. It then de-prioritizes, throttles, or removes this traffic,

for a period of time, through policy decisions allowing service providers to protect subscribers QoEwhile better using their network resources.

There are three main functions in the solution which involves different parts or elements in the network.The first function is Monitor and Analyze and is performed by the 9900 WNG. The second functionis Process and Trigger and is performed by the 5780 DSC. It is important to note that tight integrationis needed between the 9900 WNG and the 5780 DSC for these two functions to work in concert.The third and last function is Enforce and Deliver, and relies on the wireless network and variouselements within it to provide both the enforcement and the delivery functions. Figure 4 illustrates anetwork view of the solution and the general mechanics behind it.

Figure 4. Intelligent Traffic Management Solution framework

4.2.1 Monitor and Analyze

This function is performed by the 9900 WNG by collecting and monitoring subscriber and application

traffic in real-time which it collelates with the loading and performance of all network elements.The 9900 WNG then generates subscriber anomaly events (port scans, battery attacks, heavy users, etc.)and network element performance alerts by evaluating the specific anomalies over a configurablewatching window period.

Each anomaly event and performance alert is evaluated over its own dedicated watching windowor trending period to ensure that it is not a random one-time event but rather a sustained issuethat needs to be addressed. The anomaly being analyzed is assigned an intensity level for everywatching window and is reported to the 5780 DSC with that detail. Each anomaly eventswatching window and intensity level definition is service provider-configurable, thus ensuringflexible implementation capabilities.

Packet core

9900 WirelessNetwork Guardian

5780 DynamicServices Controller

Anomaly notification

Processand trigger

Enforce and deliver

Monitorand analyze

Radio accessnetwork

Backhaul


9/12


The 9900 WNG notifies the 5780 DSC of all per-subscriber anomalous events (such as high data usageand signaling subscribers, port scans, etc). As the subscriber enters into, exits from, or transitions fromone level of intensity to another, the 9900 WNG will notify the 5780 DSC. The 9900 WNG can alsofilter notifications and only send a notification if an anomaly is of a specified intensity threshold. Inaddition, the 9900 WNG can notify the 5780 DSC of a network element or link that is exhibitinga performance anomaly such as congestion or signaling overload. When the 9900 WNG notifies the5780 DSC of a subscriber anomaly event or a network performance event, an assignment is created for

each event against the subscriber or network object.

4.2.2 Process and Trigger

In order to apply the ITM capabilities in a dynamic, consistent, and scalable manner, specificper-subscriber policies are defined and created within the 5780 DSC. For each policy the serviceprovider first simply defines items such as the event type (i.e., heavy user, port scans, battery attack, etc.),event intensity (i.e., 1=low, 5=high), and event precedence. Intensity level is important since it willgive the service provider a threshold level for which to trigger an action. For example, if the intensitylevel of a prescribed anomalous event is greater than 4, then an action should be triggered. Furthermore,intensity level can be used to differentiate different service tiers. For example, intensity level 4may trigger a policy on gold subscribers but intensity level 2 may trigger the same policy onbronze subscribers.

Precedence is important as it enables the service provider to create a per-subscriber compoundpolicy that may involve multiple anomalous events where one may have precedence over another.For example, if the the an application on the subscribers device is executing a port scan, then thepolicy may be simply to terminate the subscribers session even though the subscriber may also beconsidered a heavy user. In this case, the service provider would place a higher precedence on theport scan event over the heavy user status.

Once the event types are defined in a policy, then certain actions are added that can be executedwhen certain thresholds are exceeded. One of the benefits of this solution is that that the triggeredactions are subscriber entitlement-aware due to the close integration between the 5780 DSC andthe Subscriber Profile Repository (SPR). This means that specific knowledge of the subscriber canbe considered to make actions more meaningful and personalized. Actions can be the following:

Notication This action offers an effective way to interact with the subscriber not only tonotify them of the event but to offer to the subscriber new service options that would be morealigned with their traffic patterns.

QoS changes This action represents re-prioritizing the underlying IP packet flow to a lower QoSclass. This is a very effective action as it will not discard packets, and application performancewill not deteriorate for the subscriber unless there is congestion on one of the network elementsin the end-to-end path.

Packet throttle This action represents throttling the underlying IP packet flow in the packetcore. Subscriber application performance will be impacted immediately.

Terminate session This action terminates the actual broadband data session. This action istypically reserved for malicious security threats like port scans, battery attacks, etc.

Once the policy is created (event type, intensity, precedence, actions) then the rule engine ofthe 5780 DSC is used to define the subscribers and the conditions to when the policy is to beapplied. The rules engine is essential in applying policies with scale and flexibility to meet theever-changing environment.

4.2.3 Enforce and Deliver

Enforcement and delivery is the instantiation of the policy rules into the network by the networkelements. Once the 5780 DSC synthesizes the policy rules into a set of network-consumable actions itcommunicates these actions to the network via the 3rdGeneration Partnership Project (3GPP) standard


10/12


Gx interface for enforcement at specific network enforcement points. In 3G networks, communi-cation will go directly through the Gx interface to the Gateway GPRS Node Support (GGSN); andin 4G networks communication will go directly throught the Gx interface to the Packet Data NetworkGateway (PGW). For both 3G and 4G networks, the Gx interfaces can be used to communicatedirectly with the DPI applicance for enforcement. These enforcement points are used to eitherre-prioritize, throttle, or terminate the packet flow that has been identified as being anomalous.

Once these packet flows are acted upon at the enforcement points (e.g., re-prioritized, throttled) theyneed to be delivered across the end-to-end wireless network with the specific priority and performancedictated by the policy. It is the collective responsibility of each network element in the packet core,the backhaul network, and the radio access network to provide this delivery function.

4.3 Heavy user use-case example

Internal Alcatel-Lucent research on real mobile broadband network usage data has shown that thetop few percent of users generates a disproportionate percentage of the total network load. Based onreal network measurements using the 9900 WNG, Figure 5 has been created to demonstrate thistrend. In Figure 5, Smartphone A and Smartphone B represent data usage for different devices inthe research.

Figure 5. Disproportionate data use from a small number of users

From this graph it is clear that the top 10% of data users consumed 80% of traffic and the top20% of data users consumed 90% of traffic. In fact, internal studies show that long-term heavyusers are repeat offenders since the top 5%of data users of the preceding day consumed between

30 to 35% of data in congested times (peak periods) during the next day. It is clear there are usersthat are consuming a disproportionate amount of resources and, during times of congestion, areusing more than their fair share of bandwidth. The issue with this phenomenon is that this extrabandwidth use from heavy users is not being monetized yet it impacts the QoE of other valuedsubscribers during times of contention. One of the reasons why this happens is due to the fact thatthe QoS capabilities in the network do not distinguish between a user consuming massive amountsof broadband data and a normal behaving user within the same QoS class. Moreover, in many wirelessnetwork deployments, all broadband traffic sessions are often lumped into the same QoS class,which exacerbates the situation.

Smartphone A Smartphone B

Small percentage of users use disproportionate amounts of bandwidth80% of volume consumed by 10% of devices

Percentage(%)oftotaltraffic

volum

ebyspecificUEs

0 2010 30 40

Percentage (%) of top UEs by volume

50

0

100

40

60

20

80


11/12


This is where ITM can really help. With ITM, the service provider can create their own definitionfor what a heavy user is by specifying their own intensity levels. Once this definition is set, thesolution will provide a notification of the new events, thus making the service provider aware of allheavy users and when the users transition to and from various intensity levels. The service providercan create specific policies that can be unique for each subscriber class and their personal entitlements,and prescribe when an action(s) should take place and what the action should be. In many cases,the action would be either to re-prioritize or throttle the heavy users packet flow during times of

congestion or during times when other subscribers would be impacted. If there is enough networkcapacity for all subscribers, then actions may not be needed.

An action could also include a personal notification to the subscriber offering higher performanceservice options or options that are tailored more specifically to their personal usage patterns. Thisis good for the subscriber since they would be charged more precisely for the personal usage theyconsume leading to more value. This is also good for the service provider since they would moreprecisely monetize their network.

5. Conclusion

In the new era of wireless broadband networks it is essential for service providers to understand how

traffic impacts their network and how it relates to device-specific application packet flows. Thisknowledge is called wireless network intelligence. Without this knowledge, service providers areoperating in a blind fashion and really do not understand how to protect their subscribers QoE andsecure the integrity of their network. ITM not only provides wireless network intelligence, but itoffers a solution that uses this intelligence to create network-wide policies that protect monetizedusers from malicious security threats and heavy users. This keeps subscriber QoE high, and reduceschurn, while securing the integrity of the network.

6. Abbreviations3GPP 3rdGeneration Partnership Project

DOS Denial of Service

DPI Deep Packet Inspection

DSC Dynamic Services Controller

GGSN Gateway GPRS Node Support

ITM Intelligent Traffic Management

P2P Peer-to-Peer

PGW Packet Data Network Gateway

QoE Quality of Experience

QoS Quality of Service

RAN Radio Access Network

SPR Subscriber Profile Repository

UE User Equipment

WNG Wireless Network Guardian

7. Resources

Improving QoE With an Intelligent Look into Wireless Network Capacity, Techzine feature article,Sept 21, 2010, http://www2.alcatel-lucent.com/blogs/techzine/

Personalizing the Network: Policy End to End, Heavy Reading on behalf of Alcatel-Lucent,November 2010

www.alcatel-lucent.com/5780dsc

www.alcatel-lucent.com/9900wng

www.alcatel-lucent.com/itm
http://www2.alcatel-lucent.com/blogs/techzine/http://www.alcatel-lucent.com/5780dschttp://www.alcatel-lucent.com/9900wnghttp://www.alcatel-lucent.com/9900wnghttp://www.alcatel-lucent.com/5780dschttp://www2.alcatel-lucent.com/blogs/techzine/


12/12

www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logoare trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibilityfor inaccuracies contained herein. Copyright 2011 Alcatel-Lucent. All rights reserved.CPG2896110204 (02)

Date post:	01-Mar-2018
Category:	Documents
Upload:	packia-maharajan
View:	232 times
Download:	0 times

Cpg2896110204 Itm en Appnote

Documents