Beruflich Dokumente
Kultur Dokumente
N O T E
Abstract
With the widespread adoption of new smart devices and their applications, wireless service providers
are facing a challenging environment in the advent of broadband wireless communications. Not
only is there an explosion of broadband data, but the way that these new applications are stressing
the network is unpredictable, transient, and at times unexpected. This has created an environment
where the monitoring and analytic tools of the legacy systems are no longer suitable to really
understand these new issues.
This paper first describes how the 9900 Wireless Network Guardian (WNG) is able to uniquely
understand the dynamics of wireless broadband data and correlate it hop-by-hop to device-specific
IP packet flows. With this new insight (i.e., Wireless Network Intelligence), the wireless service
provider will be in a position to identify specific network anomalies down to the specific device
and application that could compromise the mobile data experience of a valued subscriber and
potentially jeopardize the integrity of the network itself.
This paper then discusses how the 5780 Dynamic Services Controller (DSC) can leverage this
intelligence to create new business rules that can be dynamically triggered to protect the Quality of
Experience (QoE) of valued subscribers while bolstering the integrity of the wireless network. Finally,
this paper presents the solution called Intelligent Traffic Management (ITM) that represents
the integration between the 9900 WNG and the 5780 DSC and details the specific mechanics
behind it.
Table of contents
1
5. Conclusion
6. Abbreviations
7. Resources
?
Network loading
and performance
Subscriber wireless IP
broadband traffic
2. Extracting wireless network intelligence using the 9900 Wireless Network Guardian
The Alcatel-Lucent 9900 WNG provides a unique insight into this blind spot by understanding the
real-time capacity of all network elements and links. Combined with its application and device
knowledge, the 9900 WNG can correlate each application flow to specific devices, elements, and
links in the RAN, backhaul network, and packet core by following the end-to-end packet flow to
and from the subscribers device.
This approach allows the 9900 WNG to passively monitor, in real-time, every subscribers data
experience while automatically analyzing and identifying the root-cause issues such as anomalous
events (e.g. heavy users, signaling overloading, security threats, etc) that are contributing to a
subscribers degraded experience.
This also enables the 9900 WNG to identify which network elements are capacity-constrained in
the dimensions of bandwidth, airtime exhaustion, and signaling overload right down to the cell site
level. It also makes clear the sources of these constraints in terms of users, applications, application
servers and devices. This allows service providers to understand what is creating capacity constraints
and also what may be deteriorating performance. Figure 2 illustrates how the 9900 WNG correlates
each device and each application with every network hop to provide deep understanding of how
devices and applications impact the wireless network and how network performance impacts each
subscribers QoE.
Figure 2. The 9900 WNG providing wireless network intelligence
Devices
Network
Applications
Impact of performance
on subscriber QoE
Impact of subscribers
on network loading
With this deep and powerful level of correlation, unique insight or wireless network intelligence
can be used to empower service providers to proactively maintain a subscribers QoE while securing
the integrity of the network. The next section discusses how wireless network intelligence can be
used to enrich policy decisions with the 5780 DSC.
3. Enriching policy decisions with the 5780 DSC and wireless network intelligence
The Alcatel-Lucent 5780 Dynamic Services Controller (DSC) is a state-of-the-art decision engine
providing wireless service providers with the capabilities to map business demands and network
constraints into easy-to-manage network policy rules. The decision engine uses a set of pre-defined
service provider-configured service policies combined with additional network (device details, access
type, location), subscriber (service tier, entitlements, credit balance), system (state, time of day) and
application information (service description, traffic parameters) that it dynamically obtains from
its various standard interfaces to maximize the effectiveness of its policy decisions. Once policy
decisions are dynamically synthesized by the decision engine, they are formulated into network
consumable rules and sent to the network where they are instantiated and enforced for per-device
per-application data plane treatment. Wireless network intelligence is a new breed of data that can
be used by the 5780 DSC to further enhance the operational capabilities of the service provider.
The logical evolution to maximize the value of this data involves using dynamic policy control to
provide policy-driven functions that can be delivered with velocity, scale, and operational efficiency.
An integrated policy management solution would be able to establish flexible rules to dynamically
examine the highly varying conditions at each cell site and network hop which may vary greatly
from the events and traffic that are viewed from the core. Once a service provider-defined event or
network anomaly (heavy user, security threat, etc.) is identified and deemed to impact subscriber
performance, the policy engine can then trigger an action that would aim to address that condition.
The action can be subscriber notification of the event to warn them of potential service deterioration
and to offer service options that are more aligned with their personal traffic usage patterns. Other
actions can be packet flow de-prioritization or even packet throttling. Figure 3 illustrates the
5780 DSC and the sources of dynamic data that it uses to make policy decisions.
Figure 3. Enhancing the 5780 DSCs rules engine with wireless network intelligence
Subscriber profile/
service tier/
entitlements
Device details/
access type/location
5780 DSCs
decision engine
Application details/
service description
Network details/
updates
The next section details Alcatel-Lucents Intelligent Traffic Management (ITM) solution, which
represents the integration of the 9900 WNG with the 5780 DSC to create the service provider
benefits outlined above.
Some of the more common sources of unwanted or rogue traffic that can be identified by the
9900 WNG are:
Peer-to-peer (P2P) traffic a class of traffic from a specific device often associated with video
downloading that is typically very aggressive in nature and has a tendency to consume massive
amounts of broadband traffic in an unfair manner. During times of congestion this traffic may
be a candidate for action provided it imposes on other subscribers.
Always Active Airtime when users that have a constant wireless communications channel up
that exceeds normal airtime use attributed to voice or broadband data sessions.
Port scanning when a source (mobile device application/Internet server application) attempts
to cycle through TCP/UDP ports within a device/server or across many devices/servers to
identify an opening that could be used for an attack or denial of service.
Signaling attack when a source seeks to overload the control plane of a 3G/4G wireless network
using low-volume attack traffic by repeatedly triggering radio channel allocations and revocations.
Battery attack when a malicious source commandeers a mobile devices communications channel
to repeatedly awaken it from an idle low-power slumber into a state of readiness that saps its
electric power and consumes network resources.
4.1.2 Heavy users
In addition to the aforementioned traffic, every network has a set of non-malicious subscribers
who are consuming an unfair amount of network resources, thereby compromising the overall
QoE of others.
The RAN, backhaul, and packet core elements provide QoS capabilities that deal specifically with
real-time congestion to provide packet prioritization while maximizing network and cell throughput.
However, these functions are generally not subscriber, entitlement, and historical usage aware. For
example, the RAN automatically distributes service equally among all user traffic within the same
QoS class regardless of the subscribers entitlements, historic traffic use, or potential involvement in
an anomalous event (heavy user, security threat, etc). In many cases, all subscribers share a single
QoS group for their broadband traffic, opening up opportunities for heavy users to thrive and compromise the QoE of others with the same entitlements. The 9900 WNG is able to detect heavy data
users as well as heavy signaling users.
4
The next section shows how the sources of these anomalous events and heavy use are identified by
the 9900 WNG and reported to the 5780 DSC so that service provider-defined policies can trigger
an action to alleviate these disruptive conditions.
4.2 Intelligent Traffic Management
ITM is a solution that identifies unwanted or rogue traffic in the wireless network through proactive
real-time network measurement and analytics. It then de-prioritizes, throttles, or removes this traffic,
for a period of time, through policy decisions allowing service providers to protect subscribers QoE
while better using their network resources.
There are three main functions in the solution which involves different parts or elements in the network.
The first function is Monitor and Analyze and is performed by the 9900 WNG. The second function
is Process and Trigger and is performed by the 5780 DSC. It is important to note that tight integration
is needed between the 9900 WNG and the 5780 DSC for these two functions to work in concert.
The third and last function is Enforce and Deliver, and relies on the wireless network and various
elements within it to provide both the enforcement and the delivery functions. Figure 4 illustrates a
network view of the solution and the general mechanics behind it.
Figure 4. Intelligent Traffic Management Solution framework
Anomaly notification
9900 Wireless
Network Guardian
5780 Dynamic
Services Controller
Process
and trigger
Monitor
and analyze
Backhaul
Radio access
network
Packet core
This function is performed by the 9900 WNG by collecting and monitoring subscriber and application
traffic in real-time which it collelates with the loading and performance of all network elements.
The 9900 WNG then generates subscriber anomaly events (port scans, battery attacks, heavy users, etc.)
and network element performance alerts by evaluating the specific anomalies over a configurable
watching window period.
Each anomaly event and performance alert is evaluated over its own dedicated watching window
or trending period to ensure that it is not a random one-time event but rather a sustained issue
that needs to be addressed. The anomaly being analyzed is assigned an intensity level for every
watching window and is reported to the 5780 DSC with that detail. Each anomaly events
watching window and intensity level definition is service provider-configurable, thus ensuring
flexible implementation capabilities.
The 9900 WNG notifies the 5780 DSC of all per-subscriber anomalous events (such as high data usage
and signaling subscribers, port scans, etc). As the subscriber enters into, exits from, or transitions from
one level of intensity to another, the 9900 WNG will notify the 5780 DSC. The 9900 WNG can also
filter notifications and only send a notification if an anomaly is of a specified intensity threshold. In
addition, the 9900 WNG can notify the 5780 DSC of a network element or link that is exhibiting
a performance anomaly such as congestion or signaling overload. When the 9900 WNG notifies the
5780 DSC of a subscriber anomaly event or a network performance event, an assignment is created for
each event against the subscriber or network object.
4.2.2 Process and Trigger
In order to apply the ITM capabilities in a dynamic, consistent, and scalable manner, specific
per-subscriber policies are defined and created within the 5780 DSC. For each policy the service
provider first simply defines items such as the event type (i.e., heavy user, port scans, battery attack, etc.),
event intensity (i.e., 1=low, 5=high), and event precedence. Intensity level is important since it will
give the service provider a threshold level for which to trigger an action. For example, if the intensity
level of a prescribed anomalous event is greater than 4, then an action should be triggered. Furthermore,
intensity level can be used to differentiate different service tiers. For example, intensity level 4
may trigger a policy on gold subscribers but intensity level 2 may trigger the same policy on
bronze subscribers.
Precedence is important as it enables the service provider to create a per-subscriber compound
policy that may involve multiple anomalous events where one may have precedence over another.
For example, if the the an application on the subscribers device is executing a port scan, then the
policy may be simply to terminate the subscribers session even though the subscriber may also be
considered a heavy user. In this case, the service provider would place a higher precedence on the
port scan event over the heavy user status.
Once the event types are defined in a policy, then certain actions are added that can be executed
when certain thresholds are exceeded. One of the benefits of this solution is that that the triggered
actions are subscriber entitlement-aware due to the close integration between the 5780 DSC and
the Subscriber Profile Repository (SPR). This means that specific knowledge of the subscriber can
be considered to make actions more meaningful and personalized. Actions can be the following:
Notification This action offers an effective way to interact with the subscriber not only to
notify them of the event but to offer to the subscriber new service options that would be more
aligned with their traffic patterns.
QoS changes This action represents re-prioritizing the underlying IP packet flow to a lower QoS
class. This is a very effective action as it will not discard packets, and application performance
will not deteriorate for the subscriber unless there is congestion on one of the network elements
in the end-to-end path.
Packet throttle This action represents throttling the underlying IP packet flow in the packet
core. Subscriber application performance will be impacted immediately.
Terminate session This action terminates the actual broadband data session. This action is
typically reserved for malicious security threats like port scans, battery attacks, etc.
Once the policy is created (event type, intensity, precedence, actions) then the rule engine of
the 5780 DSC is used to define the subscribers and the conditions to when the policy is to be
applied. The rules engine is essential in applying policies with scale and flexibility to meet the
ever-changing environment.
4.2.3 Enforce and Deliver
Enforcement and delivery is the instantiation of the policy rules into the network by the network
elements. Once the 5780 DSC synthesizes the policy rules into a set of network-consumable actions it
communicates these actions to the network via the 3rd Generation Partnership Project (3GPP) standard
Smartphone B
100
80
60
40
Small percentage of users use disproportionate amounts of bandwidth
80% of volume consumed by 10% of devices
20
0
0
10
20
30
40
50
From this graph it is clear that the top 10% of data users consumed 80% of traffic and the top
20% of data users consumed 90% of traffic. In fact, internal studies show that long-term heavy
users are repeat offenders since the top 5%of data users of the preceding day consumed between
30 to 35% of data in congested times (peak periods) during the next day. It is clear there are users
that are consuming a disproportionate amount of resources and, during times of congestion, are
using more than their fair share of bandwidth. The issue with this phenomenon is that this extra
bandwidth use from heavy users is not being monetized yet it impacts the QoE of other valued
subscribers during times of contention. One of the reasons why this happens is due to the fact that
the QoS capabilities in the network do not distinguish between a user consuming massive amounts
of broadband data and a normal behaving user within the same QoS class. Moreover, in many wireless
network deployments, all broadband traffic sessions are often lumped into the same QoS class,
which exacerbates the situation.
This is where ITM can really help. With ITM, the service provider can create their own definition
for what a heavy user is by specifying their own intensity levels. Once this definition is set, the
solution will provide a notification of the new events, thus making the service provider aware of all
heavy users and when the users transition to and from various intensity levels. The service provider
can create specific policies that can be unique for each subscriber class and their personal entitlements,
and prescribe when an action(s) should take place and what the action should be. In many cases,
the action would be either to re-prioritize or throttle the heavy users packet flow during times of
congestion or during times when other subscribers would be impacted. If there is enough network
capacity for all subscribers, then actions may not be needed.
An action could also include a personal notification to the subscriber offering higher performance
service options or options that are tailored more specifically to their personal usage patterns. This
is good for the subscriber since they would be charged more precisely for the personal usage they
consume leading to more value. This is also good for the service provider since they would more
precisely monetize their network.
5. Conclusion
In the new era of wireless broadband networks it is essential for service providers to understand how
traffic impacts their network and how it relates to device-specific application packet flows. This
knowledge is called wireless network intelligence. Without this knowledge, service providers are
operating in a blind fashion and really do not understand how to protect their subscribers QoE and
secure the integrity of their network. ITM not only provides wireless network intelligence, but it
offers a solution that uses this intelligence to create network-wide policies that protect monetized
users from malicious security threats and heavy users. This keeps subscriber QoE high, and reduces
churn, while securing the integrity of the network.
6. Abbreviations
3GPP 3rd Generation Partnership Project
DOS
Denial of Service
DPI
DSC
GGSN
ITM
P2P Peer-to-Peer
PGW
QoE
Quality of Experience
QoS
Quality of Service
RAN
SPR
UE
User Equipment
WNG
7. Resources
Improving QoE With an Intelligent Look into Wireless Network Capacity, Techzine feature article,
Sept 21, 2010, http://www2.alcatel-lucent.com/blogs/techzine/
Personalizing the Network: Policy End to End, Heavy Reading on behalf of Alcatel-Lucent,
November 2010
www.alcatel-lucent.com/5780dsc
www.alcatel-lucent.com/9900wng
www.alcatel-lucent.com/itm
8
www.alcatel-lucent.com