A P P L I C A T I O N

N O T E

Intelligent Traffic Management

Protecting the Subscribers QoE while Securing the Integrity of the Wireless Network

Abstract
With the widespread adoption of new smart devices and their applications, wireless service providers are facing a challenging environment in the advent of broadband wireless communications. Not only is there an explosion of broadband data, but the way that these new applications are stressing the network is unpredictable, transient, and at times unexpected. This has created an environment where the monitoring and analytic tools of the legacy systems are no longer suitable to really understand these new issues. This paper first describes how the 9900 Wireless Network Guardian (WNG) is able to uniquely understand the dynamics of wireless broadband data and correlate it hop-by-hop to device-specific IP packet flows. With this new insight (i.e., Wireless Network Intelligence), the wireless service provider will be in a position to identify specific network anomalies down to the specific device and application that could compromise the mobile data experience of a valued subscriber and potentially jeopardize the integrity of the network itself. This paper then discusses how the 5780 Dynamic Services Controller (DSC) can leverage this intelligence to create new business rules that can be dynamically triggered to protect the Quality of Experience (QoE) of valued subscribers while bolstering the integrity of the wireless network. Finally, this paper presents the solution called Intelligent Traffic Management (ITM) that represents the integration between the 9900 WNG and the 5780 DSC and details the specific mechanics behind it.

Table of contents
1 2 1. The need for wireless network intelligence 2. Extracting wireless network intelligence using the 9900 Wireless Network Guardian 3. Enriching policy decisions with the 5780 DSC and wireless network intelligence 4. Intelligent Traffic Management 4.1 A new breed of unwanted data traffic and anomalies 4.2 Intelligent Traffic Management 4.3 Heavy user use-case example 5. Conclusion 6. Abbreviations 7. Resources

4 4 5 7 8 8 8

1. The need for wireless network intelligence

The explosion of smartphones, tablet computers, and other wireless-enabled devices, coupled with the availability of thousands of new applications that leverage IP-based mobile data networks, is creating a new and challenging environment for the wireless service provider. This environment is a lot more transient and unpredictable than traditional mobile voice networks and presents unique and complex challenges for service providers to maintain their subscribers QoE while securing the integrity of their networks. Today, service providers do have the visibility into segments of their network but it is not correlated to the subscribers and their applications nor does it provide an end-to-end view. As a result, it is difficult to identify and characterize the impact that specific sources (i.e., devices, local and Internet applications, etc.) have on network capacity, performance, and security. Traditional radio management tools can indicate when performance is bad or when a certain capacity is being exceeded, but they do not explain why or which applications and/or devices are causing the problem. Service providers also have other tools such as Deep Packet Inspection (DPI) that monitors and manages core IP traffic, but they cannot identify and report on the impact that IP traffic has on a specific Radio Access Network (RAN). Using these tools may result in corrective actions that represent a more broad-brush approach that may not correct the situation and can negatively impact other subscribers and potentially degrade their service. This broad-brush approach can also squander precious network resources due to the lack of precision. For example, with some DPI approaches, if there is congestion in the RAN, service providers can choose to cap service delivery for an entire application class, thereby impacting customers who are not contributing to the issue; or service providers might cap service across all traffic from certain subscribers, including applications that are not creating problems. To move away from these existing approaches, service providers have to gain an understanding of the specific interactions between device and application traffic and network performance/capacity and where these worlds overlap. As depicted in Figure 1, service providers need to fill in the blind spot that, up until now, has made it hard for them to identify the specific sources of subscriberimpacting issues.
Figure 1. The blind spot facing wireless service providers today

?
Network loading and performance Subscriber wireless IP broadband trafc

Intelligent Traffic Management | Application Note

2. Extracting wireless network intelligence using the 9900 Wireless Network Guardian
The Alcatel-Lucent 9900 WNG provides a unique insight into this blind spot by understanding the real-time capacity of all network elements and links. Combined with its application and device knowledge, the 9900 WNG can correlate each application flow to specific devices, elements, and links in the RAN, backhaul network, and packet core by following the end-to-end packet flow to and from the subscribers device. This approach allows the 9900 WNG to passively monitor, in real-time, every subscribers data experience while automatically analyzing and identifying the root-cause issues such as anomalous events (e.g. heavy users, signaling overloading, security threats, etc) that are contributing to a subscribers degraded experience. This also enables the 9900 WNG to identify which network elements are capacity-constrained in the dimensions of bandwidth, airtime exhaustion, and signaling overload right down to the cell site level. It also makes clear the sources of these constraints in terms of users, applications, application servers and devices. This allows service providers to understand what is creating capacity constraints and also what may be deteriorating performance. Figure 2 illustrates how the 9900 WNG correlates each device and each application with every network hop to provide deep understanding of how devices and applications impact the wireless network and how network performance impacts each subscribers QoE.
Figure 2. The 9900 WNG providing wireless network intelligence
Devices Network Applications

9900 Wireless Network Guardian multivendor, multi-technology, real-time

Impact of performance on subscriber QoE

Impact of subscribers on network loading

Impact of network loading on performance

With this deep and powerful level of correlation, unique insight or wireless network intelligence can be used to empower service providers to proactively maintain a subscribers QoE while securing the integrity of the network. The next section discusses how wireless network intelligence can be used to enrich policy decisions with the 5780 DSC.

Intelligent Traffic Management | Application Note

3. Enriching policy decisions with the 5780 DSC and wireless network intelligence
The Alcatel-Lucent 5780 Dynamic Services Controller (DSC) is a state-of-the-art decision engine providing wireless service providers with the capabilities to map business demands and network constraints into easy-to-manage network policy rules. The decision engine uses a set of pre-defined service provider-configured service policies combined with additional network (device details, access type, location), subscriber (service tier, entitlements, credit balance), system (state, time of day) and application information (service description, traffic parameters) that it dynamically obtains from its various standard interfaces to maximize the effectiveness of its policy decisions. Once policy decisions are dynamically synthesized by the decision engine, they are formulated into network consumable rules and sent to the network where they are instantiated and enforced for per-device per-application data plane treatment. Wireless network intelligence is a new breed of data that can be used by the 5780 DSC to further enhance the operational capabilities of the service provider. The logical evolution to maximize the value of this data involves using dynamic policy control to provide policy-driven functions that can be delivered with velocity, scale, and operational efficiency. An integrated policy management solution would be able to establish flexible rules to dynamically examine the highly varying conditions at each cell site and network hop which may vary greatly from the events and traffic that are viewed from the core. Once a service provider-defined event or network anomaly (heavy user, security threat, etc.) is identified and deemed to impact subscriber performance, the policy engine can then trigger an action that would aim to address that condition. The action can be subscriber notification of the event to warn them of potential service deterioration and to offer service options that are more aligned with their personal traffic usage patterns. Other actions can be packet flow de-prioritization or even packet throttling. Figure 3 illustrates the 5780 DSC and the sources of dynamic data that it uses to make policy decisions.
Figure 3. Enhancing the 5780 DSCs rules engine with wireless network intelligence

Wireless network intelligence Per-subscriber, per-application real-time performance, network impact and anomalies

Device details/ access type/location

Subscriber prole/ service tier/ entitlements

5780 DSCs decision engine

Application details/ service description

Network details/ updates

Intelligent Traffic Management | Application Note

The next section details Alcatel-Lucents Intelligent Traffic Management (ITM) solution, which represents the integration of the 9900 WNG with the 5780 DSC to create the service provider benefits outlined above.

4. Intelligent Traffic Management

4.1 A new breed of unwanted data traffic and anomalies A new breed of unwanted data traffic and anomalies is taking a foothold in existing wireless networks today that is causing havoc within the network while compromising a subscribers QoE. These anomalous events include, but are not limited to, devices, servers and applications that are sending virus-laden or virus-generated flows and performing denial of service (DoS) attacks. This unwanted traffic not only consumes bandwidth but may also consume valuable signaling and airtime resources. In addition, this unwanted traffic does not contribute to revenue for the service provider and results in network capacity being consumed that could otherwise be used to improve and maintain a subscribers QoE and bolster overall network performance and capacity. By eliminating or controlling this traffic, OPEX cost savings would be realized since less troubleshooting and customer-care expenses will be incurred. Moreover, CAPEX savings would also be realized since the existing capacity of the network will be increased.
4.1.1 Unwanted or rogue traffic

Some of the more common sources of unwanted or rogue traffic that can be identified by the 9900 WNG are: Peer-to-peer (P2P) traffic a class of traffic from a specific device often associated with video downloading that is typically very aggressive in nature and has a tendency to consume massive amounts of broadband traffic in an unfair manner. During times of congestion this traffic may be a candidate for action provided it imposes on other subscribers. Always Active Airtime when users that have a constant wireless communications channel up that exceeds normal airtime use attributed to voice or broadband data sessions. Port scanning when a source (mobile device application/Internet server application) attempts to cycle through TCP/UDP ports within a device/server or across many devices/servers to identify an opening that could be used for an attack or denial of service. Signaling attack when a source seeks to overload the control plane of a 3G/4G wireless network using low-volume attack traffic by repeatedly triggering radio channel allocations and revocations. Battery attack when a malicious source commandeers a mobile devices communications channel to repeatedly awaken it from an idle low-power slumber into a state of readiness that saps its electric power and consumes network resources.
4.1.2 Heavy users

In addition to the aforementioned traffic, every network has a set of non-malicious subscribers who are consuming an unfair amount of network resources, thereby compromising the overall QoE of others. The RAN, backhaul, and packet core elements provide QoS capabilities that deal specifically with real-time congestion to provide packet prioritization while maximizing network and cell throughput. However, these functions are generally not subscriber, entitlement, and historical usage aware. For example, the RAN automatically distributes service equally among all user traffic within the same QoS class regardless of the subscribers entitlements, historic traffic use, or potential involvement in an anomalous event (heavy user, security threat, etc). In many cases, all subscribers share a single QoS group for their broadband traffic, opening up opportunities for heavy users to thrive and compromise the QoE of others with the same entitlements. The 9900 WNG is able to detect heavy data users as well as heavy signaling users.
4 Intelligent Traffic Management | Application Note

The next section shows how the sources of these anomalous events and heavy use are identified by the 9900 WNG and reported to the 5780 DSC so that service provider-defined policies can trigger an action to alleviate these disruptive conditions. 4.2 Intelligent Traffic Management ITM is a solution that identifies unwanted or rogue traffic in the wireless network through proactive real-time network measurement and analytics. It then de-prioritizes, throttles, or removes this traffic, for a period of time, through policy decisions allowing service providers to protect subscribers QoE while better using their network resources. There are three main functions in the solution which involves different parts or elements in the network. The first function is Monitor and Analyze and is performed by the 9900 WNG. The second function is Process and Trigger and is performed by the 5780 DSC. It is important to note that tight integration is needed between the 9900 WNG and the 5780 DSC for these two functions to work in concert. The third and last function is Enforce and Deliver, and relies on the wireless network and various elements within it to provide both the enforcement and the delivery functions. Figure 4 illustrates a network view of the solution and the general mechanics behind it.
Figure 4. Intelligent Traffic Management Solution framework

Anomaly notication 9900 Wireless Network Guardian 5780 Dynamic Services Controller

Monitor and analyze

Process and trigger

Backhaul Radio access network Enforce and deliver

Packet core

4.2.1 Monitor and Analyze

This function is performed by the 9900 WNG by collecting and monitoring subscriber and application traffic in real-time which it collelates with the loading and performance of all network elements. The 9900 WNG then generates subscriber anomaly events (port scans, battery attacks, heavy users, etc.) and network element performance alerts by evaluating the specific anomalies over a configurable watching window period. Each anomaly event and performance alert is evaluated over its own dedicated watching window or trending period to ensure that it is not a random one-time event but rather a sustained issue that needs to be addressed. The anomaly being analyzed is assigned an intensity level for every watching window and is reported to the 5780 DSC with that detail. Each anomaly events watching window and intensity level definition is service provider-configurable, thus ensuring flexible implementation capabilities.

Intelligent Traffic Management | Application Note

The 9900 WNG notifies the 5780 DSC of all per-subscriber anomalous events (such as high data usage and signaling subscribers, port scans, etc). As the subscriber enters into, exits from, or transitions from one level of intensity to another, the 9900 WNG will notify the 5780 DSC. The 9900 WNG can also filter notifications and only send a notification if an anomaly is of a specified intensity threshold. In addition, the 9900 WNG can notify the 5780 DSC of a network element or link that is exhibiting a performance anomaly such as congestion or signaling overload. When the 9900 WNG notifies the 5780 DSC of a subscriber anomaly event or a network performance event, an assignment is created for each event against the subscriber or network object.
4.2.2 Process and Trigger

In order to apply the ITM capabilities in a dynamic, consistent, and scalable manner, specific per-subscriber policies are defined and created within the 5780 DSC. For each policy the service provider first simply defines items such as the event type (i.e., heavy user, port scans, battery attack, etc.), event intensity (i.e., 1=low, 5=high), and event precedence. Intensity level is important since it will give the service provider a threshold level for which to trigger an action. For example, if the intensity level of a prescribed anomalous event is greater than 4, then an action should be triggered. Furthermore, intensity level can be used to differentiate different service tiers. For example, intensity level 4 may trigger a policy on gold subscribers but intensity level 2 may trigger the same policy on bronze subscribers. Precedence is important as it enables the service provider to create a per-subscriber compound policy that may involve multiple anomalous events where one may have precedence over another. For example, if the the an application on the subscribers device is executing a port scan, then the policy may be simply to terminate the subscribers session even though the subscriber may also be considered a heavy user. In this case, the service provider would place a higher precedence on the port scan event over the heavy user status. Once the event types are defined in a policy, then certain actions are added that can be executed when certain thresholds are exceeded. One of the benefits of this solution is that that the triggered actions are subscriber entitlement-aware due to the close integration between the 5780 DSC and the Subscriber Profile Repository (SPR). This means that specific knowledge of the subscriber can be considered to make actions more meaningful and personalized. Actions can be the following: Notification This action offers an effective way to interact with the subscriber not only to notify them of the event but to offer to the subscriber new service options that would be more aligned with their traffic patterns. QoS changes This action represents re-prioritizing the underlying IP packet flow to a lower QoS class. This is a very effective action as it will not discard packets, and application performance will not deteriorate for the subscriber unless there is congestion on one of the network elements in the end-to-end path. Packet throttle This action represents throttling the underlying IP packet flow in the packet core. Subscriber application performance will be impacted immediately. Terminate session This action terminates the actual broadband data session. This action is typically reserved for malicious security threats like port scans, battery attacks, etc. Once the policy is created (event type, intensity, precedence, actions) then the rule engine of the 5780 DSC is used to define the subscribers and the conditions to when the policy is to be applied. The rules engine is essential in applying policies with scale and flexibility to meet the ever-changing environment.
4.2.3 Enforce and Deliver

Enforcement and delivery is the instantiation of the policy rules into the network by the network elements. Once the 5780 DSC synthesizes the policy rules into a set of network-consumable actions it communicates these actions to the network via the 3rd Generation Partnership Project (3GPP) standard

Intelligent Traffic Management | Application Note

Gx interface for enforcement at specific network enforcement points. In 3G networks, communication will go directly through the Gx interface to the Gateway GPRS Node Support (GGSN); and in 4G networks communication will go directly throught the Gx interface to the Packet Data Network Gateway (PGW). For both 3G and 4G networks, the Gx interfaces can be used to communicate directly with the DPI applicance for enforcement. These enforcement points are used to either re-prioritize, throttle, or terminate the packet flow that has been identified as being anomalous. Once these packet flows are acted upon at the enforcement points (e.g., re-prioritized, throttled) they need to be delivered across the end-to-end wireless network with the specific priority and performance dictated by the policy. It is the collective responsibility of each network element in the packet core, the backhaul network, and the radio access network to provide this delivery function. 4.3 Heavy user use-case example Internal Alcatel-Lucent research on real mobile broadband network usage data has shown that the top few percent of users generates a disproportionate percentage of the total network load. Based on real network measurements using the 9900 WNG, Figure 5 has been created to demonstrate this trend. In Figure 5, Smartphone A and Smartphone B represent data usage for different devices in the research.
Figure 5. Disproportionate data use from a small number of users
Smartphone A 100 Smartphone B

Percentage (%) of total trafc volume by specic UEs

80

60

40 Small percentage of users use disproportionate amounts of bandwidth 80% of volume consumed by 10% of devices 20

0 0 10 20 30 40 50 Percentage (%) of top UEs by volume

From this graph it is clear that the top 10% of data users consumed 80% of traffic and the top 20% of data users consumed 90% of traffic. In fact, internal studies show that long-term heavy users are repeat offenders since the top 5%of data users of the preceding day consumed between 30 to 35% of data in congested times (peak periods) during the next day. It is clear there are users that are consuming a disproportionate amount of resources and, during times of congestion, are using more than their fair share of bandwidth. The issue with this phenomenon is that this extra bandwidth use from heavy users is not being monetized yet it impacts the QoE of other valued subscribers during times of contention. One of the reasons why this happens is due to the fact that the QoS capabilities in the network do not distinguish between a user consuming massive amounts of broadband data and a normal behaving user within the same QoS class. Moreover, in many wireless network deployments, all broadband traffic sessions are often lumped into the same QoS class, which exacerbates the situation.

Intelligent Traffic Management | Application Note

This is where ITM can really help. With ITM, the service provider can create their own definition for what a heavy user is by specifying their own intensity levels. Once this definition is set, the solution will provide a notification of the new events, thus making the service provider aware of all heavy users and when the users transition to and from various intensity levels. The service provider can create specific policies that can be unique for each subscriber class and their personal entitlements, and prescribe when an action(s) should take place and what the action should be. In many cases, the action would be either to re-prioritize or throttle the heavy users packet flow during times of congestion or during times when other subscribers would be impacted. If there is enough network capacity for all subscribers, then actions may not be needed. An action could also include a personal notification to the subscriber offering higher performance service options or options that are tailored more specifically to their personal usage patterns. This is good for the subscriber since they would be charged more precisely for the personal usage they consume leading to more value. This is also good for the service provider since they would more precisely monetize their network.

5. Conclusion
In the new era of wireless broadband networks it is essential for service providers to understand how traffic impacts their network and how it relates to device-specific application packet flows. This knowledge is called wireless network intelligence. Without this knowledge, service providers are operating in a blind fashion and really do not understand how to protect their subscribers QoE and secure the integrity of their network. ITM not only provides wireless network intelligence, but it offers a solution that uses this intelligence to create network-wide policies that protect monetized users from malicious security threats and heavy users. This keeps subscriber QoE high, and reduces churn, while securing the integrity of the network.

6. Abbreviations
3GPP DOS DPI DSC GGSN ITM P2P PGW QoE QoS RAN SPR UE WNG 3rd Generation Partnership Project Denial of Service Deep Packet Inspection Dynamic Services Controller Gateway GPRS Node Support Intelligent Traffic Management Peer-to-Peer Packet Data Network Gateway Quality of Experience Quality of Service Radio Access Network Subscriber Profile Repository User Equipment Wireless Network Guardian

7. Resources
Improving QoE With an Intelligent Look into Wireless Network Capacity, Techzine feature article, Sept 21, 2010, http://www2.alcatel-lucent.com/blogs/techzine/ Personalizing the Network: Policy End to End, Heavy Reading on behalf of Alcatel-Lucent, November 2010 www.alcatel-lucent.com/5780dsc www.alcatel-lucent.com/9900wng www.alcatel-lucent.com/itm
8 Intelligent Traffic Management | Application Note

www.alcatel-lucent.com

Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright 2011 Alcatel-Lucent. All rights reserved. CPG2896110204 (02)