A P P L I C A T I O N

N O T E

Intelligent Traffic Management

Protecting the Subscribers QoE while Securing the Integrity of the Wireless Network

Abstract
With the widespread adoption of new smart devices and their applications, wireless service providers
are facing a challenging environment in the advent of broadband wireless communications. Not
only is there an explosion of broadband data, but the way that these new applications are stressing
the network is unpredictable, transient, and at times unexpected. This has created an environment
where the monitoring and analytic tools of the legacy systems are no longer suitable to really
understand these new issues.
This paper first describes how the 9900 Wireless Network Guardian (WNG) is able to uniquely
understand the dynamics of wireless broadband data and correlate it hop-by-hop to device-specific
IP packet flows. With this new insight (i.e., Wireless Network Intelligence), the wireless service
provider will be in a position to identify specific network anomalies down to the specific device
and application that could compromise the mobile data experience of a valued subscriber and
potentially jeopardize the integrity of the network itself.
This paper then discusses how the 5780 Dynamic Services Controller (DSC) can leverage this
intelligence to create new business rules that can be dynamically triggered to protect the Quality of
Experience (QoE) of valued subscribers while bolstering the integrity of the wireless network. Finally,
this paper presents the solution called Intelligent Traffic Management (ITM) that represents
the integration between the 9900 WNG and the 5780 DSC and details the specific mechanics
behind it.

Table of contents
1

1. The need for wireless network intelligence

2. Extracting wireless network intelligence using the 9900 Wireless

Network Guardian

3. Enriching policy decisions with the 5780 DSC and wireless

network intelligence

4. Intelligent Traffic Management

4 4.1 A new breed of unwanted data traffic and anomalies

5 4.2 Intelligent Traffic Management
7 4.3 Heavy user use-case example
8

5. Conclusion

6. Abbreviations

7. Resources

1. The need for wireless network intelligence

The explosion of smartphones, tablet computers, and other wireless-enabled devices, coupled with
the availability of thousands of new applications that leverage IP-based mobile data networks, is
creating a new and challenging environment for the wireless service provider. This environment is
a lot more transient and unpredictable than traditional mobile voice networks and presents unique
and complex challenges for service providers to maintain their subscribers QoE while securing the
integrity of their networks.
Today, service providers do have the visibility into segments of their network but it is not correlated
to the subscribers and their applications nor does it provide an end-to-end view. As a result, it is
difficult to identify and characterize the impact that specific sources (i.e., devices, local and Internet
applications, etc.) have on network capacity, performance, and security. Traditional radio management
tools can indicate when performance is bad or when a certain capacity is being exceeded, but they
do not explain why or which applications and/or devices are causing the problem.
Service providers also have other tools such as Deep Packet Inspection (DPI) that monitors and
manages core IP traffic, but they cannot identify and report on the impact that IP traffic has on a
specific Radio Access Network (RAN). Using these tools may result in corrective actions that
represent a more broad-brush approach that may not correct the situation and can negatively impact
other subscribers and potentially degrade their service. This broad-brush approach can also squander
precious network resources due to the lack of precision. For example, with some DPI approaches, if
there is congestion in the RAN, service providers can choose to cap service delivery for an entire
application class, thereby impacting customers who are not contributing to the issue; or service
providers might cap service across all traffic from certain subscribers, including applications that
are not creating problems.
To move away from these existing approaches, service providers have to gain an understanding of
the specific interactions between device and application traffic and network performance/capacity
and where these worlds overlap. As depicted in Figure 1, service providers need to fill in the blind
spot that, up until now, has made it hard for them to identify the specific sources of subscriberimpacting issues.
Figure 1. The blind spot facing wireless service providers today

?
Network loading
and performance

Subscriber wireless IP
broadband traffic

Intelligent Traffic Management | Application Note

2. Extracting wireless network intelligence using the 9900 Wireless Network Guardian
The Alcatel-Lucent 9900 WNG provides a unique insight into this blind spot by understanding the
real-time capacity of all network elements and links. Combined with its application and device
knowledge, the 9900 WNG can correlate each application flow to specific devices, elements, and
links in the RAN, backhaul network, and packet core by following the end-to-end packet flow to
and from the subscribers device.
This approach allows the 9900 WNG to passively monitor, in real-time, every subscribers data
experience while automatically analyzing and identifying the root-cause issues such as anomalous
events (e.g. heavy users, signaling overloading, security threats, etc) that are contributing to a
subscribers degraded experience.
This also enables the 9900 WNG to identify which network elements are capacity-constrained in
the dimensions of bandwidth, airtime exhaustion, and signaling overload right down to the cell site
level. It also makes clear the sources of these constraints in terms of users, applications, application
servers and devices. This allows service providers to understand what is creating capacity constraints
and also what may be deteriorating performance. Figure 2 illustrates how the 9900 WNG correlates
each device and each application with every network hop to provide deep understanding of how
devices and applications impact the wireless network and how network performance impacts each
subscribers QoE.
Figure 2. The 9900 WNG providing wireless network intelligence
Devices

Network

Applications

9900 Wireless Network Guardian

multivendor, multi-technology, real-time

Impact of performance
on subscriber QoE

Impact of subscribers
on network loading

Impact of network loading

on performance

With this deep and powerful level of correlation, unique insight or wireless network intelligence
can be used to empower service providers to proactively maintain a subscribers QoE while securing
the integrity of the network. The next section discusses how wireless network intelligence can be
used to enrich policy decisions with the 5780 DSC.

Intelligent Traffic Management | Application Note

3. Enriching policy decisions with the 5780 DSC and wireless network intelligence
The Alcatel-Lucent 5780 Dynamic Services Controller (DSC) is a state-of-the-art decision engine
providing wireless service providers with the capabilities to map business demands and network
constraints into easy-to-manage network policy rules. The decision engine uses a set of pre-defined
service provider-configured service policies combined with additional network (device details, access
type, location), subscriber (service tier, entitlements, credit balance), system (state, time of day) and
application information (service description, traffic parameters) that it dynamically obtains from
its various standard interfaces to maximize the effectiveness of its policy decisions. Once policy
decisions are dynamically synthesized by the decision engine, they are formulated into network
consumable rules and sent to the network where they are instantiated and enforced for per-device
per-application data plane treatment. Wireless network intelligence is a new breed of data that can
be used by the 5780 DSC to further enhance the operational capabilities of the service provider.
The logical evolution to maximize the value of this data involves using dynamic policy control to
provide policy-driven functions that can be delivered with velocity, scale, and operational efficiency.
An integrated policy management solution would be able to establish flexible rules to dynamically
examine the highly varying conditions at each cell site and network hop which may vary greatly
from the events and traffic that are viewed from the core. Once a service provider-defined event or
network anomaly (heavy user, security threat, etc.) is identified and deemed to impact subscriber
performance, the policy engine can then trigger an action that would aim to address that condition.
The action can be subscriber notification of the event to warn them of potential service deterioration
and to offer service options that are more aligned with their personal traffic usage patterns. Other
actions can be packet flow de-prioritization or even packet throttling. Figure 3 illustrates the
5780 DSC and the sources of dynamic data that it uses to make policy decisions.
Figure 3. Enhancing the 5780 DSCs rules engine with wireless network intelligence

Wireless network intelligence

Per-subscriber, per-application
real-time performance,
network impact and anomalies

Subscriber profile/
service tier/
entitlements

Device details/
access type/location

5780 DSCs
decision engine

Application details/
service description

Network details/
updates

Intelligent Traffic Management | Application Note

The next section details Alcatel-Lucents Intelligent Traffic Management (ITM) solution, which
represents the integration of the 9900 WNG with the 5780 DSC to create the service provider
benefits outlined above.

4. Intelligent Traffic Management

4.1 A new breed of unwanted data traffic and anomalies
A new breed of unwanted data traffic and anomalies is taking a foothold in existing wireless
networks today that is causing havoc within the network while compromising a subscribers QoE.
These anomalous events include, but are not limited to, devices, servers and applications that are
sending virus-laden or virus-generated flows and performing denial of service (DoS) attacks. This
unwanted traffic not only consumes bandwidth but may also consume valuable signaling and
airtime resources.
In addition, this unwanted traffic does not contribute to revenue for the service provider and results in
network capacity being consumed that could otherwise be used to improve and maintain a subscribers QoE and bolster overall network performance and capacity. By eliminating or controlling this
traffic, OPEX cost savings would be realized since less troubleshooting and customer-care expenses
will be incurred. Moreover, CAPEX savings would also be realized since the existing capacity of the
network will be increased.
4.1.1 Unwanted or rogue traffic

Some of the more common sources of unwanted or rogue traffic that can be identified by the
9900 WNG are:
Peer-to-peer (P2P) traffic a class of traffic from a specific device often associated with video
downloading that is typically very aggressive in nature and has a tendency to consume massive
amounts of broadband traffic in an unfair manner. During times of congestion this traffic may
be a candidate for action provided it imposes on other subscribers.
Always Active Airtime when users that have a constant wireless communications channel up
that exceeds normal airtime use attributed to voice or broadband data sessions.
Port scanning when a source (mobile device application/Internet server application) attempts
to cycle through TCP/UDP ports within a device/server or across many devices/servers to
identify an opening that could be used for an attack or denial of service.
Signaling attack when a source seeks to overload the control plane of a 3G/4G wireless network
using low-volume attack traffic by repeatedly triggering radio channel allocations and revocations.
Battery attack when a malicious source commandeers a mobile devices communications channel
to repeatedly awaken it from an idle low-power slumber into a state of readiness that saps its
electric power and consumes network resources.
4.1.2 Heavy users

In addition to the aforementioned traffic, every network has a set of non-malicious subscribers
who are consuming an unfair amount of network resources, thereby compromising the overall
QoE of others.
The RAN, backhaul, and packet core elements provide QoS capabilities that deal specifically with
real-time congestion to provide packet prioritization while maximizing network and cell throughput.
However, these functions are generally not subscriber, entitlement, and historical usage aware. For
example, the RAN automatically distributes service equally among all user traffic within the same
QoS class regardless of the subscribers entitlements, historic traffic use, or potential involvement in
an anomalous event (heavy user, security threat, etc). In many cases, all subscribers share a single
QoS group for their broadband traffic, opening up opportunities for heavy users to thrive and compromise the QoE of others with the same entitlements. The 9900 WNG is able to detect heavy data
users as well as heavy signaling users.
4

Intelligent Traffic Management | Application Note

The next section shows how the sources of these anomalous events and heavy use are identified by
the 9900 WNG and reported to the 5780 DSC so that service provider-defined policies can trigger
an action to alleviate these disruptive conditions.
4.2 Intelligent Traffic Management
ITM is a solution that identifies unwanted or rogue traffic in the wireless network through proactive
real-time network measurement and analytics. It then de-prioritizes, throttles, or removes this traffic,
for a period of time, through policy decisions allowing service providers to protect subscribers QoE
while better using their network resources.
There are three main functions in the solution which involves different parts or elements in the network.
The first function is Monitor and Analyze and is performed by the 9900 WNG. The second function
is Process and Trigger and is performed by the 5780 DSC. It is important to note that tight integration
is needed between the 9900 WNG and the 5780 DSC for these two functions to work in concert.
The third and last function is Enforce and Deliver, and relies on the wireless network and various
elements within it to provide both the enforcement and the delivery functions. Figure 4 illustrates a
network view of the solution and the general mechanics behind it.
Figure 4. Intelligent Traffic Management Solution framework

Anomaly notification
9900 Wireless
Network Guardian

5780 Dynamic
Services Controller

Process
and trigger

Monitor
and analyze

Backhaul
Radio access
network

Packet core

Enforce and deliver

4.2.1 Monitor and Analyze

This function is performed by the 9900 WNG by collecting and monitoring subscriber and application
traffic in real-time which it collelates with the loading and performance of all network elements.
The 9900 WNG then generates subscriber anomaly events (port scans, battery attacks, heavy users, etc.)
and network element performance alerts by evaluating the specific anomalies over a configurable
watching window period.
Each anomaly event and performance alert is evaluated over its own dedicated watching window
or trending period to ensure that it is not a random one-time event but rather a sustained issue
that needs to be addressed. The anomaly being analyzed is assigned an intensity level for every
watching window and is reported to the 5780 DSC with that detail. Each anomaly events
watching window and intensity level definition is service provider-configurable, thus ensuring
flexible implementation capabilities.

Intelligent Traffic Management | Application Note

The 9900 WNG notifies the 5780 DSC of all per-subscriber anomalous events (such as high data usage
and signaling subscribers, port scans, etc). As the subscriber enters into, exits from, or transitions from
one level of intensity to another, the 9900 WNG will notify the 5780 DSC. The 9900 WNG can also
filter notifications and only send a notification if an anomaly is of a specified intensity threshold. In
addition, the 9900 WNG can notify the 5780 DSC of a network element or link that is exhibiting
a performance anomaly such as congestion or signaling overload. When the 9900 WNG notifies the
5780 DSC of a subscriber anomaly event or a network performance event, an assignment is created for
each event against the subscriber or network object.
4.2.2 Process and Trigger

In order to apply the ITM capabilities in a dynamic, consistent, and scalable manner, specific
per-subscriber policies are defined and created within the 5780 DSC. For each policy the service
provider first simply defines items such as the event type (i.e., heavy user, port scans, battery attack, etc.),
event intensity (i.e., 1=low, 5=high), and event precedence. Intensity level is important since it will
give the service provider a threshold level for which to trigger an action. For example, if the intensity
level of a prescribed anomalous event is greater than 4, then an action should be triggered. Furthermore,
intensity level can be used to differentiate different service tiers. For example, intensity level 4
may trigger a policy on gold subscribers but intensity level 2 may trigger the same policy on
bronze subscribers.
Precedence is important as it enables the service provider to create a per-subscriber compound
policy that may involve multiple anomalous events where one may have precedence over another.
For example, if the the an application on the subscribers device is executing a port scan, then the
policy may be simply to terminate the subscribers session even though the subscriber may also be
considered a heavy user. In this case, the service provider would place a higher precedence on the
port scan event over the heavy user status.
Once the event types are defined in a policy, then certain actions are added that can be executed
when certain thresholds are exceeded. One of the benefits of this solution is that that the triggered
actions are subscriber entitlement-aware due to the close integration between the 5780 DSC and
the Subscriber Profile Repository (SPR). This means that specific knowledge of the subscriber can
be considered to make actions more meaningful and personalized. Actions can be the following:
Notification This action offers an effective way to interact with the subscriber not only to
notify them of the event but to offer to the subscriber new service options that would be more
aligned with their traffic patterns.
QoS changes This action represents re-prioritizing the underlying IP packet flow to a lower QoS
class. This is a very effective action as it will not discard packets, and application performance
will not deteriorate for the subscriber unless there is congestion on one of the network elements
in the end-to-end path.
Packet throttle This action represents throttling the underlying IP packet flow in the packet
core. Subscriber application performance will be impacted immediately.
Terminate session This action terminates the actual broadband data session. This action is
typically reserved for malicious security threats like port scans, battery attacks, etc.
Once the policy is created (event type, intensity, precedence, actions) then the rule engine of
the 5780 DSC is used to define the subscribers and the conditions to when the policy is to be
applied. The rules engine is essential in applying policies with scale and flexibility to meet the
ever-changing environment.
4.2.3 Enforce and Deliver

Enforcement and delivery is the instantiation of the policy rules into the network by the network
elements. Once the 5780 DSC synthesizes the policy rules into a set of network-consumable actions it
communicates these actions to the network via the 3rd Generation Partnership Project (3GPP) standard

Intelligent Traffic Management | Application Note

Gx interface for enforcement at specific network enforcement points. In 3G networks, communi

cation will go directly through the Gx interface to the Gateway GPRS Node Support (GGSN); and
in 4G networks communication will go directly throught the Gx interface to the Packet Data Network
Gateway (PGW). For both 3G and 4G networks, the Gx interfaces can be used to communicate
directly with the DPI applicance for enforcement. These enforcement points are used to either
re-prioritize, throttle, or terminate the packet flow that has been identified as being anomalous.
Once these packet flows are acted upon at the enforcement points (e.g., re-prioritized, throttled) they
need to be delivered across the end-to-end wireless network with the specific priority and performance
dictated by the policy. It is the collective responsibility of each network element in the packet core,
the backhaul network, and the radio access network to provide this delivery function.
4.3 Heavy user use-case example
Internal Alcatel-Lucent research on real mobile broadband network usage data has shown that the
top few percent of users generates a disproportionate percentage of the total network load. Based on
real network measurements using the 9900 WNG, Figure 5 has been created to demonstrate this
trend. In Figure 5, Smartphone A and Smartphone B represent data usage for different devices in
the research.
Figure 5. Disproportionate data use from a small number of users
Smartphone A

Smartphone B

Percentage (%) of total traffic

volume by specific UEs

100

80

60

40
Small percentage of users use disproportionate amounts of bandwidth
80% of volume consumed by 10% of devices
20

0
0

10

20

30

40

50

Percentage (%) of top UEs by volume

From this graph it is clear that the top 10% of data users consumed 80% of traffic and the top
20% of data users consumed 90% of traffic. In fact, internal studies show that long-term heavy
users are repeat offenders since the top 5%of data users of the preceding day consumed between
30 to 35% of data in congested times (peak periods) during the next day. It is clear there are users
that are consuming a disproportionate amount of resources and, during times of congestion, are
using more than their fair share of bandwidth. The issue with this phenomenon is that this extra
bandwidth use from heavy users is not being monetized yet it impacts the QoE of other valued
subscribers during times of contention. One of the reasons why this happens is due to the fact that
the QoS capabilities in the network do not distinguish between a user consuming massive amounts
of broadband data and a normal behaving user within the same QoS class. Moreover, in many wireless
network deployments, all broadband traffic sessions are often lumped into the same QoS class,
which exacerbates the situation.

Intelligent Traffic Management | Application Note

This is where ITM can really help. With ITM, the service provider can create their own definition
for what a heavy user is by specifying their own intensity levels. Once this definition is set, the
solution will provide a notification of the new events, thus making the service provider aware of all
heavy users and when the users transition to and from various intensity levels. The service provider
can create specific policies that can be unique for each subscriber class and their personal entitlements,
and prescribe when an action(s) should take place and what the action should be. In many cases,
the action would be either to re-prioritize or throttle the heavy users packet flow during times of
congestion or during times when other subscribers would be impacted. If there is enough network
capacity for all subscribers, then actions may not be needed.
An action could also include a personal notification to the subscriber offering higher performance
service options or options that are tailored more specifically to their personal usage patterns. This
is good for the subscriber since they would be charged more precisely for the personal usage they
consume leading to more value. This is also good for the service provider since they would more
precisely monetize their network.

5. Conclusion
In the new era of wireless broadband networks it is essential for service providers to understand how
traffic impacts their network and how it relates to device-specific application packet flows. This
knowledge is called wireless network intelligence. Without this knowledge, service providers are
operating in a blind fashion and really do not understand how to protect their subscribers QoE and
secure the integrity of their network. ITM not only provides wireless network intelligence, but it
offers a solution that uses this intelligence to create network-wide policies that protect monetized
users from malicious security threats and heavy users. This keeps subscriber QoE high, and reduces
churn, while securing the integrity of the network.

6. Abbreviations
3GPP 3rd Generation Partnership Project
DOS

Denial of Service

DPI

Deep Packet Inspection

DSC

Dynamic Services Controller

GGSN

Gateway GPRS Node Support

ITM

Intelligent Traffic Management

P2P Peer-to-Peer
PGW

Packet Data Network Gateway

QoE

Quality of Experience

QoS

Quality of Service

RAN

Radio Access Network

SPR

Subscriber Profile Repository

UE

User Equipment

WNG

Wireless Network Guardian

7. Resources
Improving QoE With an Intelligent Look into Wireless Network Capacity, Techzine feature article,
Sept 21, 2010, http://www2.alcatel-lucent.com/blogs/techzine/
Personalizing the Network: Policy End to End, Heavy Reading on behalf of Alcatel-Lucent,
November 2010
www.alcatel-lucent.com/5780dsc
www.alcatel-lucent.com/9900wng
www.alcatel-lucent.com/itm
8

Intelligent Traffic Management | Application Note

www.alcatel-lucent.com

Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo

are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.
The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility
for inaccuracies contained herein. Copyright 2011 Alcatel-Lucent. All rights reserved.
CPG2896110204 (02)