WO2015036033A1 - Traffic analysis for user activity detection - Google Patents

Traffic analysis for user activity detection Download PDF

Info

Publication number
WO2015036033A1
WO2015036033A1 PCT/EP2013/069007 EP2013069007W WO2015036033A1 WO 2015036033 A1 WO2015036033 A1 WO 2015036033A1 EP 2013069007 W EP2013069007 W EP 2013069007W WO 2015036033 A1 WO2015036033 A1 WO 2015036033A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
traffic
user equipment
user activity
activity
Prior art date
Application number
PCT/EP2013/069007
Other languages
French (fr)
Inventor
Péter KERSCH
Gábor NÉMETH
Lásló TOKA
Géza SZABÓ
Original Assignee
Telefonaktiebolaget L M Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget L M Ericsson (Publ) filed Critical Telefonaktiebolaget L M Ericsson (Publ)
Priority to PCT/EP2013/069007 priority Critical patent/WO2015036033A1/en
Publication of WO2015036033A1 publication Critical patent/WO2015036033A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/028Capturing of monitoring data by filtering

Definitions

  • the present invention relates to methods for analyzing data traffic and to corresponding devices.
  • DPI Deep Packet Inspection
  • IP Internet Protocol
  • the infrastructure of the communication network may be optimized or services provided to the users may be controlled, e.g., in terms of Quality of Service (QoS).
  • QoS Quality of Service
  • the type of traffic generated by a certain UE does not necessarily represent the activity of a user of the UE, in the following referred to as user activity.
  • the data traffic may be generated by an application executed in the background, without active participation of the user. This may for example be the case when the UE automatically updates emails or the social networking status.
  • Information on the actual user activity may be valuable for various purposes.
  • the actual user activity may provide a more useful information basis for optimizing the network infrastructure and other business analytics.
  • a method for analyzing data traffic is provided. According to the method, data traffic related to at least one UE is monitored. Further, a user activity related to the at least one UE is detected. Further, it is determined that a traffic pattern in the monitored data traffic is characteristic for the user activity. The traffic pattern is stored as being characteristic for the user activity. According to a further embodiment of the invention, a method for analyzing data traffic is provided. According to the method, data traffic related to a UE is monitored. The monitored data traffic is compared to a traffic pattern which is stored as being characteristic for a user activity. On the basis of the comparison, it is determined that an actual user activity related to the UE corresponds to the user activity for which the traffic pattern is characteristic.
  • a device for a communication network comprises an interface for receiving data traffic related to at least one UE. Further, the device comprises at least one processor. The at least one processor is configured to monitor the data traffic related to the at least one UE. Further, the at least one processor is configured to detect a user activity related to the at least one UE. Further, the at least one processor is configured to determine that a traffic pattern in the monitored data traffic is characteristic for the detected user activity and to store the traffic pattern as being characteristic for the user activity. According to a further embodiment of the invention, a device for a communication network is provided. The device comprises an interface for receiving data traffic related to at least one UE. Further, the device comprises at least one processor.
  • the at least one processor is configured to monitor the data traffic related to the UE. Further, the at least one processor is configured to compare the monitored data traffic to a traffic pattern which is stored as being characteristic for a user activity and, on the basis of the comparison, determine that an actual user activity related to the UE corresponds to the user activity for which the traffic pattern is characteristic.
  • a computer program comprises program code to be executed by at least one processor of a device for a communication network. Execution of the program code causes the device to monitor the data traffic related to at least one UE. Further, execution of the program code causes the device to detect a user activity related to the at least one UE. Further, execution of the program code causes the device to determine that a traffic pattern in the monitored data traffic is characteristic for the detected user activity and to store the traffic pattern as being characteristic for the user activity.
  • a computer program is provided. The computer program comprises program code to be executed by at least one processor of a device for a communication network.
  • Execution of the program code causes the device to monitor the data traffic related to at least one UE. Further, execution of the program code causes the device to compare the monitored data traffic to a traffic pattern which is stored as being characteristic for a user activity and, on the basis of the comparison, determine that an actual user activity related to the UE corresponds to the user activity for which the traffic pattern is characteristic.
  • Fig. 1 schematically illustrates an exemplary communication network environment in which traffic analysis according to an embodiment of the invention may be applied.
  • Fig. 2 shows a block diagram for illustrating functionalities of a traffic analysis system according to an embodiment of the invention.
  • Fig. 3 shows an exemplary traffic pattern which is characteristic for a gaming user activity.
  • Fig. 4 shows an exemplary traffic pattern which is characteristic for a social networking user activity.
  • Fig. 5 shows a block diagram for illustrating functionalities of a service management system according to an embodiment of the invention.
  • Fig. 6 shows a flowchart for illustrating a method according to an embodiment of the invention.
  • Fig. 7 shows a flowchart for illustrating a further method according to an embodiment of the invention.
  • Fig. 8 schematically illustrates structures of a traffic analysis node according to an embodiment of the invention.
  • the illustrated concepts relate to traffic analysis in a communication network.
  • the communication network may for example be a cellular communication network, e.g., as specified by the 3 rd Generation Partnership Project (3GPP).
  • the communication network may support various radio access technologies, e.g., GSM (Global System for Mobile communication), UMTS (Universal Terrestrial Mobile Telecommunications System) or Wideband CDMA (Code Division Multiple Access), CDMA2000, WiMaX, or LTE (Long Term Evolution).
  • GSM Global System for Mobile communication
  • UMTS Universal Terrestrial Mobile Telecommunications System
  • Wideband CDMA Code Division Multiple Access
  • CDMA2000 Code Division Multiple Access
  • WiMaX Long Term Evolution
  • LTE Long Term Evolution
  • wire based access technologies may be supported, such as Digital Subscriber Line (DSL), coaxial cable, or optical fibre.
  • DSL Digital Subscriber Line
  • coaxial cable or optical fibre.
  • a set of one or more UEs may be used to learn traffic patterns which are characteristic for a certain user activity related to a UE, i.e., a certain activity performed by the user of the UE and involving usage of the UE. Examples of such user activities are social networking and online gaming. Further, such user activity could also involve using the UE for navigation or assistance in sporting, e.g., as a location tracker, heart rate monitor, timer, training diary, or the like.
  • the user activity may be detected, e.g., by an activity logging application executed on the UE.
  • the data traffic related to the UE e.g., data traffic to and/or from the UE, is monitored, so that a traffic pattern which is characteristic for the user activity can be determined.
  • This characteristic traffic pattern may for example be defined as including multiple packet flows of a certain traffic type, which may be required to occur in a certain time order. Further, the characteristic traffic pattern may also be defined in terms of a duration of such packet flows.
  • a packet flow refers to a sequence of data packets between two specific endpoints, e.g., as identified by a source IP address and destination IP address, and typically also source port number and destination port number.
  • the monitored data traffic may be recorded in a database on UE and then indicated to a traffic analysis system in the communication network, or may be indicated by the UE to a traffic analysis system and then be stored in a network-based database.
  • the detected user activities and the monitored data traffic may then be correlated to determine the characteristic traffic pattern.
  • the traffic pattern may be determined in such a way that it allows for distinguishing the user activity from other user activities.
  • the traffic pattern may allow for distinguishing between an online gaming user activity and a social networking user activity.
  • the learned characteristic traffic pattern may then be used to detect the actual user activity by monitoring the data traffic of a UE. This may also be applied for UEs which were not involved in the learning of the characteristic traffic pattern.
  • a relatively small set of UEs may be used to learn the characteristic traffic pattern, and the learned characteristic traffic pattern may then be applied to detect the actual user activity of other UEs.
  • the detected actual user activity may then be used for various purposes, e.g., for managing a service provided to the UE, e.g., in terms of QoS, or for providing targeted advertisements or offers.
  • the detected user activity may be used for optimizing the network infrastructure to better support frequently detected user activities, or for other types of technical or business analytics. For example, an operator could detect that a certain user is frequently engaged in a certain preferred user activity, such as online gaming, and then present targeted offers to this user, e.g., for a subscription or UE model which suits the preferred user activity.
  • the data traffic of a UE during a certain user activity typically forms a characteristic traffic pattern with several traffic types, e.g., gaming data traffic, location based service data traffic, data traffic for showing of a video attachment in a webmail service, or data traffic which is specific to the UE or operating system of the UE.
  • traffic types e.g., gaming data traffic, location based service data traffic, data traffic for showing of a video attachment in a webmail service, or data traffic which is specific to the UE or operating system of the UE.
  • Fig. 1 illustrates an exemplary communication network environment in which the concepts as outlined above may be applied.
  • Fig. 1 illustrates the communication network 10 and a plurality of UEs 50-1 , 50-2, 50-3, 50-4, 50-5, 50-6 connected to the communication network 10.
  • the UEs 50-1 , 50-2, 50-3, 50-4, 50-5, 50-6 may correspond to different device types, e.g., a mobile phone, such as the UEs 50-1 , 50-2, 50-4, and 50-6, or a PC or notebook computer, such as UEs 50-3 and 50-5.
  • Other UE types could be present as well, e.g., tablet computers or gaming devices.
  • the communication network 10 is in turn equipped with a traffic monitor 80, which allows for monitoring and analyzing the data traffic related to the various devices 50-1 , 50-2, 50-3, 50- 4, 50-5, 50-6.
  • the traffic monitor 80 may for example detect flows of a certain type in the data traffic which, e.g., by performing DPI.
  • the monitoring results may then be used in a traffic analysis system for learning characteristic traffic patterns, as further illustrated in Fig. 2, or for managing provision of services by a service management system, as further illustrated in Fig. 5.
  • Fig. 2 further illustrates functionalities of a traffic analysis system 100.
  • the traffic analysis system 100 is provided with functionalities for monitoring and processing the data traffic 1 10 related to one or more UEs to determine one or more characteristic traffic patterns which are then stored in a mapping database 200.
  • each characteristic traffic pattern is mapped to a certain user activity for which it is characteristic.
  • these functionalities include the traffic monitor 80 and a correlation processor 150.
  • the correlation processor 150 receives the monitored data traffic 1 10 and activity logs 120 with recorded user activities.
  • activity logs may be provided by a limited set of UEs on which an activity logging application is provided, e.g., the UEs 50-1 , 50-2, 50-3 of Fig. 1.
  • the activity logging application may run in the background, so that the users of the corresponding UEs are not affected.
  • the activity logging application may provide logs which represent an on-screen activity or usage of other input/output interfaces of the UE.
  • the activity logs may also represent active usage of one or more specific applications. Accordingly, such user activities may be defined in terms of usage of a certain application, e.g., an online game, or in terms of more complex activities involving usage of multiple applications, e.g., a gaming activity involving both usage of a gaming application and a social networking application.
  • the correlation processor 150 operates to correlate the detected user activities as represented by the activity logs 120 and the monitored data traffic 1 10.
  • the correlation processor 150 may correlate a certain user activity to a pattern of traffic flows as detected by the traffic monitor 80.
  • Various types of machine-learning algorithms may be used for learning the characteristic traffic pattern for a certain user activity from such correlations, e.g., algorithms for building a decision tree.
  • such machine-learning algorithm may be based on a training vector which consists of traffic types and packet flows transferred to or from the UE in a certain time interval, e.g., of 30 s. For each packet flow of a given type, for example an aggregate flow duration in the time interval may be defined in the training vector.
  • a multidimensional activity indicator vector may be used, which includes one or more flags to indicate, e.g., when the display of the UE was activated or deactivated, if the UE was being charged, to indicate execution of one or more specific applications or processes, and preferably also a mode of executing the application, e.g., in the foreground, with visible service, visible service provider, or the like. Considerations involved in the correlation processing performed by the correlation processor 150 will be further explained below.
  • the data traffic related to a UE will include traffic components which are due to the current user activity and other traffic components which are unrelated to the current user activity, e.g., due to one or more applications running in the background.
  • Usage of applications requiring a log-in may require a connection to an authentication server.
  • a typical example of a corresponding user activity is usage of a social networking application which connects to a social networking platform.
  • a social networking platform may be used as authentication proxy for other applications requiring a log-in.
  • the connection to a social networking platform may also be used to identify interaction partners, e.g., for communication or gaming.
  • Online gaming applications are in many cases turn based, which means that the connection to a social networking platform for authentication or gaming partner selection does not need to be maintained continuously, but may rather be used only at an initial stage of a gaming session. In other gaming applications, e.g., with frequent turns or with realtime interaction, the connection to the social networking platform may be needed more frequently.
  • Some user activities involve access to location based services, e.g., to a map service. Corresponding data traffic may occur at an initial stage of the user activity and/or regularly while the user activity continues.
  • a specific example of a user activity is web-browsing. Also in this case, not only data traffic for retrieving web content may be generated, e.g., HTTP (Hypertext Transfer Protocol) traffic, but also additional traffic, e.g., for supporting a "like" feature as provided by a social networking platform.
  • HTTP Hypertext Transfer Protocol
  • Some user activities may also generate background traffic related to various kinds of cloud services.
  • Some user activities involve transfer of realtime media data, e.g., Voice over IP data or realtime video data.
  • a certain user activity may therefore be identified by a characteristic traffic pattern defined in terms of a time order in which such different traffic types occur.
  • characteristic traffic pattern could be defined as a pattern in which data packets of the different traffic types are transmitted.
  • a more efficient and robust detection of user activities may be achieved by rather defining the characteristic traffic pattern in terms of a time order in which certain packet flows occur in the monitored data traffic, preferably also taking into account the durations of the flows. Examples of such characteristic traffic patterns are shown in the diagrams of Figs. 3 and 4.
  • the characteristic traffic pattern of Fig. 3 relates to an online gaming user activity, and includes a first traffic type related to social networking, a second traffic type related to advertising, a third traffic type related to gaming, and a fourth traffic type related to authentication, e.g., using the TLS (Transport Layer Security) protocol.
  • the vertical axis represents the aggregate duration of packet flows of the same type in a certain time interval, e.g., of 30 s duration.
  • time bins e.g., of 1 ms duration may be defined, and the transferred traffic volume of the given traffic type and packet flow in such time bin may be measured to obtain the aggregate packet flow duration by summing over the last time bins with transferred traffic of the given traffic type and packet flow.
  • the characteristic traffic pattern includes initial packet flows of medium duration which relate to the first traffic type and fourth traffic type, i.e., social networking and authentication. This may be attributed to authentication when logging-in to start an online gaming session and searching or selecting one or more gaming partners. Then, packet flows of short duration may follow, which relate to the second and third traffic types, i.e., advertising and gaming. This may be attributed to initial contact with an online gaming platform and an advertising platform. Next, a packet flow of medium duration follows, which relates to the third traffic type, i.e., gaming. This may be attributed to a regular interaction with the gaming platform, e.g., for transferring data of a new game turn.
  • the third traffic type i.e., gaming. This may be attributed to a regular interaction with the gaming platform, e.g., for transferring data of a new game turn.
  • a packet flow of long duration follows, which relates to the second traffic type, i.e., advertising.
  • the characteristic traffic pattern of Fig. 4 relates to a social networking user activity, with an online gaming application, in particular online poker, being in the background.
  • the characteristic traffic pattern includes the first traffic type related to social networking, the third traffic type related to gaming, and the fourth traffic type related to authentication, e.g., using the TLS (Transport Layer Security) protocol.
  • the second traffic type related to advertising is not present in this case.
  • the vertical axis represents the aggregate duration of packet flows of the same type in a certain time interval, e.g.
  • the characteristic traffic pattern includes initial packet flows of short duration which relate to the fourth traffic type, i.e., authentication. This may be attributed to authentication when logging-in to the social networking platform. Then, packet flows of medium and long duration may follow, which relate to the first traffic type, i.e., social networking. This may be attributed to regular interaction with the social networking platform, e.g., to transfer communication messages or other data. Further, also packet flows of medium duration may follow, which relate to the third traffic type, i.e., gaming. This may be attributed to a regular interaction with the gaming platform, e.g., for transferring data of a new game turn. As can be seen, the characteristic traffic patterns of Figs. 3 and 4 differ from each other, which allows for distinguishing between the different underlying user activities.
  • Fig. 5 further illustrates functionalities of a service management system in which the learned characteristic traffic patterns stored in the database 200 may be utilized.
  • the service management system is provided with functionalities for monitoring the data traffic 310 related to one or more UEs and to compare the monitored data traffic to one or more of the characteristic traffic patterns which are stored in the mapping database 200.
  • each stored characteristic traffic pattern is mapped to a certain user activity for which it is characteristic.
  • these functionalities include the traffic monitor 80 and a comparison processor 350.
  • the comparison processor 350 receives the monitored data traffic 310 and compares the monitored data traffic 310 to the stored characteristic traffic patterns.
  • the monitored data traffic 310 may be data traffic of UEs provided with the activity logging application, e.g., the UEs 50-1 , 50-2, 50-3 of Fig. 1 , but may also or alternatively be data traffic of other UEs, not provided with such activity logging application, e.g., the UEs 50-4, 50-5, 50-6 of Fig. 1 .
  • the comparison processor 350 operates to compare the monitored data traffic 310 to one or more of the stored characteristic traffic patterns. If a matching characteristic traffic pattern is found, the comparison processor 350 may determine that the actual user activity related to the UE associated with the monitored data traffic 310 corresponds to the user activity for which the traffic pattern is characteristic, i.e., to which it is mapped according to the database 200.
  • the determined actual user activity may then be used to provide a management policy 320, e.g., with respect to QoS provided for services of the UE or with respect to advertisements or offers presented to the user of the UE.
  • the comparison processor 350 may implement various algorithms to match the monitored data traffic 310 with the characteristic traffic pattern. For example, a tree-based decision algorithm may be used. In some implementations, the comparison processor 350 may also implement a neural network. It is noted that the traffic analysis system 100 of Fig. 2 and the service management system 300 of Fig. 5 may also combined in a single system in which learning of the characteristic traffic pattern(s) and their application for determining actual user activities is performed concurrently. Fig.
  • FIG. 6 shows a flowchart for illustrating a method for analyzing data traffic, which may be used to implement the above-mentioned concepts.
  • the steps of the method may for example be performed in a traffic analysis system of the communication network, e.g., as illustrated in Fig. 2.
  • data traffic related to at least one UE is monitored. This may for example be accomplished by a traffic monitor in the communication network, such as the traffic monitor 80.
  • the UE itself may be perform the monitoring or assist in the monitoring process, e.g., by providing traffic logs.
  • the monitoring may for example involve DPI or other packet inspection technologies.
  • the monitoring may involve detection of packet flows in the monitored data traffic.
  • a user activity related to the UE is detected. This may be performed by an activity logging application executed on the UE or on the basis of an indication provided by such activity logging application. As mentioned above, such activity logging application may be installed on a limited set of UEs, which are used for learning characteristic traffic patterns.
  • the user activity typically involves active usage of a user interface of the UE.
  • such user interface may be implemented by a visual input and/or output device of the UE, e.g., a display or camera.
  • the user interface may also be implemented by an acoustic input and/or output device of the UE, e.g., a microphone or loudspeaker.
  • the user interface may also be implemented by one or more finger input sensors of the UE, such as a touchscreen, touchpad, keypad, or the like.
  • the user activity may also involve usage of one or more specific applications on the UE. Operations involving usage of the user interface or applications may be efficiently detected by the activity logging application.
  • a characteristic traffic pattern is determined, i.e., it is determined that a traffic pattern in the monitored data traffic is characteristic for the user activity detected at step 620. This may be accomplished in such a way that the characteristic traffic pattern allows for distinguishing the user activity from one or more other user activities, which are associated with different traffic patterns.
  • the traffic pattern may be defined in terms of one or more packet flows of a certain traffic type. Preferably, the traffic pattern is defined in terms of a time order of the packet flows and/or a duration of one or more of the packet flows.
  • the characteristic traffic pattern determined at step 630 is stored as being characteristic for the user activity, e.g., in a database which maps the characteristic traffic pattern to the user activity, such as the mapping database 200.
  • the stored characteristic traffic pattern may then be used for determining an actual user activity related to a UE, by comparing further monitored data traffic related to the same UE(s) to the characteristic traffic pattern and/or by monitoring data traffic related to one or more further UEs, not involved in the detection of the user activity at step 620, and comparing this data traffic to the stored characteristic traffic pattern.
  • Fig. 7 shows a flowchart for illustrating a method for analyzing data traffic, which may be used to implement the above-mentioned concepts. The steps of the method may for example be performed in a service management system of the communication network, e.g., as illustrated in Fig. 5.
  • data traffic related to at least one UE is monitored. This may for example be accomplished by a traffic monitor in the communication network, such as the traffic monitor 80.
  • the monitoring may for example involve DPI or other packet inspection technologies.
  • the monitoring may involve detection of packet flows in the monitored data traffic.
  • the monitored data traffic is compared to one or more characteristic traffic patterns.
  • characteristic traffic pattern is stored as being characteristic for a certain user activity, e.g., in a database which maps the characteristic traffic pattern to the user activity, such as the mapping database 200.
  • the characteristic traffic pattern may allow for distinguishing the user activity from one or more other user activities, which are associated with different traffic patterns.
  • the user activity typically involves active usage of a user interface of the UE.
  • a user interface of the UE may be implemented by a visual input and/or output device of the UE, e.g., a display or camera.
  • the user interface may also be implemented by an acoustic input and/or output device of the UE, e.g., a microphone or loudspeaker.
  • the user interface may also be implemented by one or more finger input sensors of the UE, such as a touchscreen, touchpad, keypad, or the like.
  • the user activity may also involve usage of one or more specific applications on the UE.
  • the traffic pattern may be defined in terms of one or more packet flows of a certain traffic type. Preferably, the traffic pattern is defined in terms of a time order of the packet flows and/or a duration of one or more of the packet flows.
  • an actual user activity related to the UE is determined on the basis of the comparison of step 720.
  • the determined actual user activity may then be used for managing one or more services provided to the UE, e.g., in terms of QoS or by providing targeted advertisements or offers to the user. It is to be understood that the methods of Figs. 6 and 7 may also be performed in combination, e.g., by using the method of Fig. 6 to learn one ore more characteristic traffic patterns and using the method of Fig.
  • Fig. 8 illustrates an exemplary implementation of a traffic analysis node 800 which may be used to implement the above concepts.
  • the illustrated structures may for example be used to implement functionalities as illustrated in Fig. 2 or 5.
  • the traffic analysis node 800 includes at least one interface 840, which may be used for monitoring data traffic in a communication network.
  • the interface 840 may be used to receive the monitored data traffic or to receive information concerning the monitored traffic from other nodes, such as the traffic monitor 80 or a UE.
  • the interface 840 may also be used to receive indications of user activities, such as the activity logs 120 from UEs.
  • the traffic analysis node 800 includes one or more processor(s) 850 coupled to the interface 840 and a memory 860 coupled to the processor(s) 850.
  • the memory 860 may include a read-only memory (ROM), e.g., a flash ROM, a random-access memory (RAM), e.g., a dynamic RAM (DRAM) or static RAM (SRAM), a mass storage, e.g., a hard disk or solid state disk, or the like.
  • the memory 860 includes suitably configured program code modules to be executed by the processor(s) 850 so as to implement the above-described functionalities of the traffic analysis system 100 and/or service management system 300.
  • the program code modules in the memory 860 may include a monitoring module 870 so as to implement the above-described functionalities of monitoring data traffic related to one or more UEs. Further, the program code modules in the memory 860 may also include an analysis module 880 so as to implement the above-mentioned functionalities of correlating detected user activities to traffic patterns to determine a characteristic data pattern for a user activity, and/or of comparing the monitored data traffic to one or more stored characteristic traffic patterns to determine the actual user activity of a UE. Further, the memory 860 may also include a traffic pattern database 890 for storing the learnt characteristic traffic pattern(s).
  • the structure as illustrated in Fig. 8 is merely schematic and that the traffic analysis node 800 may actually include further components which, for the sake of clarity, have not been illustrated, e.g., further interfaces or further processors.
  • the memory 860 may include further types of program code modules, which have not been illustrated, e.g., program code modules for implementing known traffic analysis functionalities, machine learning algorithms, and/or comparison algorithms.
  • a computer program may be provided for implementing functionalities of the traffic analysis node 800, e.g., in the form of a medium storing the program code modules to be stored in the memory 860 or by making such program code available for download.
  • the concepts as described above may be used for determining the actual user activity of a UE and to distinguish between data traffic generated by applications or processes on the UE which are executed in the background, without directly involving the user, and data traffic which is due to specific user activities, i.e., involve active participation of the user, such as activities involving usage of applications currently presenting information on the display or receiving user inputs.
  • the concepts may be implemented in an efficient manner by allowing to use only a limited set of UEs for learning the characteristic traffic pattern(s), while the learnt characteristic traffic patterns may be applied to a much larger group of UEs, e.g., to all UEs connecting to the communication network, without requiring any specific participation from this larger group of UEs.
  • the above concepts may be implemented by using correspondingly designed software to be executed by one or more processors of an existing device, or by using dedicated device hardware.
  • the traffic analysis node as described herein may be implemented by a single device or by multiple devices, e.g., a device cloud or system of cooperating devices. Further, at least some of the illustrated functionalities for learning the characteristic traffic pattern(s) could be implemented in a UE.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Data traffic of at least one user equipment (50-1, 50-2, 50-3) is monitored, and a user activity of the user equipment (50-1, 50-2, 50-3) is detected. Further, it is determined that a traffic pattern in the monitored data traffic is characteristic for the user activity. The traffic pattern is then stored as being characteristic for the user activity. The stored traffic pattern may then be used for determining the actual user activity of a user equipment (50-1, 50-2, 50-3, 50-4, 50-5, 50-6), by comparing monitored data traffic of the user equipment (50-1, 50-2, 50-3, 50-4, 50-5, 50-6) to the stored characteristic traffic pattern.

Description

Traffic analysis for user activity detection Technical Field
The present invention relates to methods for analyzing data traffic and to corresponding devices. Background
In communication networks, it is known to monitor and analyze data traffic of users. Such analysis may provide information on the type of data traffic generated by a certain user equipment (UE). For example, Deep Packet Inspection (DPI) or other packet inspection techniques may be used to distinguish between different types of Internet Protocol (IP) traffic, such as email traffic, social networking traffic, web browsing traffic, file downloading traffic, or the like. On the basis of such information, the infrastructure of the communication network may be optimized or services provided to the users may be controlled, e.g., in terms of Quality of Service (QoS).
However, the type of traffic generated by a certain UE does not necessarily represent the activity of a user of the UE, in the following referred to as user activity. For example, the data traffic may be generated by an application executed in the background, without active participation of the user. This may for example be the case when the UE automatically updates emails or the social networking status.
Information on the actual user activity may be valuable for various purposes. For example, the actual user activity may provide a more useful information basis for optimizing the network infrastructure and other business analytics.
Accordingly, there is a need for techniques which allow for efficiently determining the actual user activity.
Summary
According to an embodiment of the invention, a method for analyzing data traffic is provided. According to the method, data traffic related to at least one UE is monitored. Further, a user activity related to the at least one UE is detected. Further, it is determined that a traffic pattern in the monitored data traffic is characteristic for the user activity. The traffic pattern is stored as being characteristic for the user activity. According to a further embodiment of the invention, a method for analyzing data traffic is provided. According to the method, data traffic related to a UE is monitored. The monitored data traffic is compared to a traffic pattern which is stored as being characteristic for a user activity. On the basis of the comparison, it is determined that an actual user activity related to the UE corresponds to the user activity for which the traffic pattern is characteristic.
According to a further embodiment of the invention, a device for a communication network is provided. The device comprises an interface for receiving data traffic related to at least one UE. Further, the device comprises at least one processor. The at least one processor is configured to monitor the data traffic related to the at least one UE. Further, the at least one processor is configured to detect a user activity related to the at least one UE. Further, the at least one processor is configured to determine that a traffic pattern in the monitored data traffic is characteristic for the detected user activity and to store the traffic pattern as being characteristic for the user activity. According to a further embodiment of the invention, a device for a communication network is provided. The device comprises an interface for receiving data traffic related to at least one UE. Further, the device comprises at least one processor. The at least one processor is configured to monitor the data traffic related to the UE. Further, the at least one processor is configured to compare the monitored data traffic to a traffic pattern which is stored as being characteristic for a user activity and, on the basis of the comparison, determine that an actual user activity related to the UE corresponds to the user activity for which the traffic pattern is characteristic.
According to a further embodiment of the invention, a computer program is provided. The computer program comprises program code to be executed by at least one processor of a device for a communication network. Execution of the program code causes the device to monitor the data traffic related to at least one UE. Further, execution of the program code causes the device to detect a user activity related to the at least one UE. Further, execution of the program code causes the device to determine that a traffic pattern in the monitored data traffic is characteristic for the detected user activity and to store the traffic pattern as being characteristic for the user activity. According to a further embodiment of the invention, a computer program is provided. The computer program comprises program code to be executed by at least one processor of a device for a communication network. Execution of the program code causes the device to monitor the data traffic related to at least one UE. Further, execution of the program code causes the device to compare the monitored data traffic to a traffic pattern which is stored as being characteristic for a user activity and, on the basis of the comparison, determine that an actual user activity related to the UE corresponds to the user activity for which the traffic pattern is characteristic. Brief Description of the Drawings
Fig. 1 schematically illustrates an exemplary communication network environment in which traffic analysis according to an embodiment of the invention may be applied. Fig. 2 shows a block diagram for illustrating functionalities of a traffic analysis system according to an embodiment of the invention.
Fig. 3 shows an exemplary traffic pattern which is characteristic for a gaming user activity. Fig. 4 shows an exemplary traffic pattern which is characteristic for a social networking user activity.
Fig. 5 shows a block diagram for illustrating functionalities of a service management system according to an embodiment of the invention.
Fig. 6 shows a flowchart for illustrating a method according to an embodiment of the invention.
Fig. 7 shows a flowchart for illustrating a further method according to an embodiment of the invention.
Fig. 8 schematically illustrates structures of a traffic analysis node according to an embodiment of the invention.
Detailed Description of Embodiments In the following, concepts according to embodiments of the invention will be explained in more detail by referring to the accompanying drawings. The illustrated concepts relate to traffic analysis in a communication network. The communication network may for example be a cellular communication network, e.g., as specified by the 3rd Generation Partnership Project (3GPP). The communication network may support various radio access technologies, e.g., GSM (Global System for Mobile communication), UMTS (Universal Terrestrial Mobile Telecommunications System) or Wideband CDMA (Code Division Multiple Access), CDMA2000, WiMaX, or LTE (Long Term Evolution). Further, also wire based access technologies may be supported, such as Digital Subscriber Line (DSL), coaxial cable, or optical fibre.
According to the illustrated concepts, a set of one or more UEs may be used to learn traffic patterns which are characteristic for a certain user activity related to a UE, i.e., a certain activity performed by the user of the UE and involving usage of the UE. Examples of such user activities are social networking and online gaming. Further, such user activity could also involve using the UE for navigation or assistance in sporting, e.g., as a location tracker, heart rate monitor, timer, training diary, or the like.
For learning such characteristic traffic pattern, the user activity may be detected, e.g., by an activity logging application executed on the UE. Further, the data traffic related to the UE, e.g., data traffic to and/or from the UE, is monitored, so that a traffic pattern which is characteristic for the user activity can be determined. This characteristic traffic pattern may for example be defined as including multiple packet flows of a certain traffic type, which may be required to occur in a certain time order. Further, the characteristic traffic pattern may also be defined in terms of a duration of such packet flows. As used herein, a packet flow refers to a sequence of data packets between two specific endpoints, e.g., as identified by a source IP address and destination IP address, and typically also source port number and destination port number. The monitored data traffic may be recorded in a database on UE and then indicated to a traffic analysis system in the communication network, or may be indicated by the UE to a traffic analysis system and then be stored in a network-based database. The detected user activities and the monitored data traffic may then be correlated to determine the characteristic traffic pattern. In particular, the traffic pattern may be determined in such a way that it allows for distinguishing the user activity from other user activities. For example, the traffic pattern may allow for distinguishing between an online gaming user activity and a social networking user activity. The learned characteristic traffic pattern may then be used to detect the actual user activity by monitoring the data traffic of a UE. This may also be applied for UEs which were not involved in the learning of the characteristic traffic pattern. Accordingly, a relatively small set of UEs may be used to learn the characteristic traffic pattern, and the learned characteristic traffic pattern may then be applied to detect the actual user activity of other UEs. This allows for efficiently implementing the concepts, e.g., because the activity logging application does not need to be provided on every UE for which the actual user activity is detected. The detected actual user activity may then be used for various purposes, e.g., for managing a service provided to the UE, e.g., in terms of QoS, or for providing targeted advertisements or offers. Further, the detected user activity may be used for optimizing the network infrastructure to better support frequently detected user activities, or for other types of technical or business analytics. For example, an operator could detect that a certain user is frequently engaged in a certain preferred user activity, such as online gaming, and then present targeted offers to this user, e.g., for a subscription or UE model which suits the preferred user activity.
In the illustrated concepts, it may be utilized that the data traffic of a UE during a certain user activity typically forms a characteristic traffic pattern with several traffic types, e.g., gaming data traffic, location based service data traffic, data traffic for showing of a video attachment in a webmail service, or data traffic which is specific to the UE or operating system of the UE. Once such characteristic traffic patterns are known and correlated to a corresponding user activity, they can be used to infer the actual user activity by monitoring the data traffic of the UE.
Fig. 1 illustrates an exemplary communication network environment in which the concepts as outlined above may be applied. Specifically, Fig. 1 illustrates the communication network 10 and a plurality of UEs 50-1 , 50-2, 50-3, 50-4, 50-5, 50-6 connected to the communication network 10. As illustrated, the UEs 50-1 , 50-2, 50-3, 50-4, 50-5, 50-6 may correspond to different device types, e.g., a mobile phone, such as the UEs 50-1 , 50-2, 50-4, and 50-6, or a PC or notebook computer, such as UEs 50-3 and 50-5. Other UE types could be present as well, e.g., tablet computers or gaming devices. The communication network 10 is in turn equipped with a traffic monitor 80, which allows for monitoring and analyzing the data traffic related to the various devices 50-1 , 50-2, 50-3, 50- 4, 50-5, 50-6. The traffic monitor 80 may for example detect flows of a certain type in the data traffic which, e.g., by performing DPI. The monitoring results may then be used in a traffic analysis system for learning characteristic traffic patterns, as further illustrated in Fig. 2, or for managing provision of services by a service management system, as further illustrated in Fig. 5.
Fig. 2 further illustrates functionalities of a traffic analysis system 100. As illustrated in Fig. 2, the traffic analysis system 100 is provided with functionalities for monitoring and processing the data traffic 1 10 related to one or more UEs to determine one or more characteristic traffic patterns which are then stored in a mapping database 200. In the mapping database, each characteristic traffic pattern is mapped to a certain user activity for which it is characteristic. As illustrated, these functionalities include the traffic monitor 80 and a correlation processor 150. The correlation processor 150 receives the monitored data traffic 1 10 and activity logs 120 with recorded user activities. As mentioned above, such activity logs may be provided by a limited set of UEs on which an activity logging application is provided, e.g., the UEs 50-1 , 50-2, 50-3 of Fig. 1. Other UEs, e.g., the UEs 50-4, 50-5, 50-6 of Fig. 1 , may not be provided with the activity logging application. The activity logging application may run in the background, so that the users of the corresponding UEs are not affected. For example, the activity logging application may provide logs which represent an on-screen activity or usage of other input/output interfaces of the UE. The activity logs may also represent active usage of one or more specific applications. Accordingly, such user activities may be defined in terms of usage of a certain application, e.g., an online game, or in terms of more complex activities involving usage of multiple applications, e.g., a gaming activity involving both usage of a gaming application and a social networking application. The correlation processor 150 operates to correlate the detected user activities as represented by the activity logs 120 and the monitored data traffic 1 10. In particular, the correlation processor 150 may correlate a certain user activity to a pattern of traffic flows as detected by the traffic monitor 80. Various types of machine-learning algorithms may be used for learning the characteristic traffic pattern for a certain user activity from such correlations, e.g., algorithms for building a decision tree.
For example, such machine-learning algorithm may be based on a training vector which consists of traffic types and packet flows transferred to or from the UE in a certain time interval, e.g., of 30 s. For each packet flow of a given type, for example an aggregate flow duration in the time interval may be defined in the training vector. Further, a multidimensional activity indicator vector may be used, which includes one or more flags to indicate, e.g., when the display of the UE was activated or deactivated, if the UE was being charged, to indicate execution of one or more specific applications or processes, and preferably also a mode of executing the application, e.g., in the foreground, with visible service, visible service provider, or the like. Considerations involved in the correlation processing performed by the correlation processor 150 will be further explained below.
Generally, the data traffic related to a UE will include traffic components which are due to the current user activity and other traffic components which are unrelated to the current user activity, e.g., due to one or more applications running in the background.
Usage of applications requiring a log-in may require a connection to an authentication server. A typical example of a corresponding user activity is usage of a social networking application which connects to a social networking platform. Such a social networking platform may be used as authentication proxy for other applications requiring a log-in. The connection to a social networking platform may also be used to identify interaction partners, e.g., for communication or gaming.
Online gaming applications are in many cases turn based, which means that the connection to a social networking platform for authentication or gaming partner selection does not need to be maintained continuously, but may rather be used only at an initial stage of a gaming session. In other gaming applications, e.g., with frequent turns or with realtime interaction, the connection to the social networking platform may be needed more frequently. Some user activities involve access to location based services, e.g., to a map service. Corresponding data traffic may occur at an initial stage of the user activity and/or regularly while the user activity continues.
A specific example of a user activity is web-browsing. Also in this case, not only data traffic for retrieving web content may be generated, e.g., HTTP (Hypertext Transfer Protocol) traffic, but also additional traffic, e.g., for supporting a "like" feature as provided by a social networking platform.
Some user activities may also generate background traffic related to various kinds of cloud services. Some user activities involve transfer of realtime media data, e.g., Voice over IP data or realtime video data.
In view of the above, a certain user activity may therefore be identified by a characteristic traffic pattern defined in terms of a time order in which such different traffic types occur. Generally, such characteristic traffic pattern could be defined as a pattern in which data packets of the different traffic types are transmitted. However, a more efficient and robust detection of user activities may be achieved by rather defining the characteristic traffic pattern in terms of a time order in which certain packet flows occur in the monitored data traffic, preferably also taking into account the durations of the flows. Examples of such characteristic traffic patterns are shown in the diagrams of Figs. 3 and 4.
The characteristic traffic pattern of Fig. 3 relates to an online gaming user activity, and includes a first traffic type related to social networking, a second traffic type related to advertising, a third traffic type related to gaming, and a fourth traffic type related to authentication, e.g., using the TLS (Transport Layer Security) protocol. The vertical axis represents the aggregate duration of packet flows of the same type in a certain time interval, e.g., of 30 s duration. For measurement of such traffic pattern, time bins, e.g., of 1 ms duration may be defined, and the transferred traffic volume of the given traffic type and packet flow in such time bin may be measured to obtain the aggregate packet flow duration by summing over the last time bins with transferred traffic of the given traffic type and packet flow.
As illustrated, the characteristic traffic pattern includes initial packet flows of medium duration which relate to the first traffic type and fourth traffic type, i.e., social networking and authentication. This may be attributed to authentication when logging-in to start an online gaming session and searching or selecting one or more gaming partners. Then, packet flows of short duration may follow, which relate to the second and third traffic types, i.e., advertising and gaming. This may be attributed to initial contact with an online gaming platform and an advertising platform. Next, a packet flow of medium duration follows, which relates to the third traffic type, i.e., gaming. This may be attributed to a regular interaction with the gaming platform, e.g., for transferring data of a new game turn. Next, a packet flow of long duration follows, which relates to the second traffic type, i.e., advertising. This may be attributed to transfer of advertisement data to the UE, to be presented to the user during the online gaming session. The characteristic traffic pattern of Fig. 4 relates to a social networking user activity, with an online gaming application, in particular online poker, being in the background. Again, the characteristic traffic pattern includes the first traffic type related to social networking, the third traffic type related to gaming, and the fourth traffic type related to authentication, e.g., using the TLS (Transport Layer Security) protocol. The second traffic type related to advertising is not present in this case. Also in this case, the vertical axis represents the aggregate duration of packet flows of the same type in a certain time interval, e.g. of 30 s duration, and the traffic pattern may be measured as explained in connection with Fig. 3. As illustrated, the characteristic traffic pattern includes initial packet flows of short duration which relate to the fourth traffic type, i.e., authentication. This may be attributed to authentication when logging-in to the social networking platform. Then, packet flows of medium and long duration may follow, which relate to the first traffic type, i.e., social networking. This may be attributed to regular interaction with the social networking platform, e.g., to transfer communication messages or other data. Further, also packet flows of medium duration may follow, which relate to the third traffic type, i.e., gaming. This may be attributed to a regular interaction with the gaming platform, e.g., for transferring data of a new game turn. As can be seen, the characteristic traffic patterns of Figs. 3 and 4 differ from each other, which allows for distinguishing between the different underlying user activities.
Fig. 5 further illustrates functionalities of a service management system in which the learned characteristic traffic patterns stored in the database 200 may be utilized. As illustrated in Fig. 5, the service management system is provided with functionalities for monitoring the data traffic 310 related to one or more UEs and to compare the monitored data traffic to one or more of the characteristic traffic patterns which are stored in the mapping database 200. In the mapping database 200, each stored characteristic traffic pattern is mapped to a certain user activity for which it is characteristic. As illustrated, these functionalities include the traffic monitor 80 and a comparison processor 350. The comparison processor 350 receives the monitored data traffic 310 and compares the monitored data traffic 310 to the stored characteristic traffic patterns. The monitored data traffic 310 may be data traffic of UEs provided with the activity logging application, e.g., the UEs 50-1 , 50-2, 50-3 of Fig. 1 , but may also or alternatively be data traffic of other UEs, not provided with such activity logging application, e.g., the UEs 50-4, 50-5, 50-6 of Fig. 1 . The comparison processor 350 operates to compare the monitored data traffic 310 to one or more of the stored characteristic traffic patterns. If a matching characteristic traffic pattern is found, the comparison processor 350 may determine that the actual user activity related to the UE associated with the monitored data traffic 310 corresponds to the user activity for which the traffic pattern is characteristic, i.e., to which it is mapped according to the database 200. The determined actual user activity may then be used to provide a management policy 320, e.g., with respect to QoS provided for services of the UE or with respect to advertisements or offers presented to the user of the UE. The comparison processor 350 may implement various algorithms to match the monitored data traffic 310 with the characteristic traffic pattern. For example, a tree-based decision algorithm may be used. In some implementations, the comparison processor 350 may also implement a neural network. It is noted that the traffic analysis system 100 of Fig. 2 and the service management system 300 of Fig. 5 may also combined in a single system in which learning of the characteristic traffic pattern(s) and their application for determining actual user activities is performed concurrently. Fig. 6 shows a flowchart for illustrating a method for analyzing data traffic, which may be used to implement the above-mentioned concepts. The steps of the method may for example be performed in a traffic analysis system of the communication network, e.g., as illustrated in Fig. 2. At step 610, data traffic related to at least one UE, typically data traffic to and/or from the UE, is monitored. This may for example be accomplished by a traffic monitor in the communication network, such as the traffic monitor 80. Alternatively or in addition, also the UE itself may be perform the monitoring or assist in the monitoring process, e.g., by providing traffic logs. The monitoring may for example involve DPI or other packet inspection technologies. In some implementations, the monitoring may involve detection of packet flows in the monitored data traffic.
At step 620, a user activity related to the UE is detected. This may be performed by an activity logging application executed on the UE or on the basis of an indication provided by such activity logging application. As mentioned above, such activity logging application may be installed on a limited set of UEs, which are used for learning characteristic traffic patterns. The user activity typically involves active usage of a user interface of the UE. For example, such user interface may be implemented by a visual input and/or output device of the UE, e.g., a display or camera. The user interface may also be implemented by an acoustic input and/or output device of the UE, e.g., a microphone or loudspeaker. The user interface may also be implemented by one or more finger input sensors of the UE, such as a touchscreen, touchpad, keypad, or the like. The user activity may also involve usage of one or more specific applications on the UE. Operations involving usage of the user interface or applications may be efficiently detected by the activity logging application.
At step 630, a characteristic traffic pattern is determined, i.e., it is determined that a traffic pattern in the monitored data traffic is characteristic for the user activity detected at step 620. This may be accomplished in such a way that the characteristic traffic pattern allows for distinguishing the user activity from one or more other user activities, which are associated with different traffic patterns. The traffic pattern may be defined in terms of one or more packet flows of a certain traffic type. Preferably, the traffic pattern is defined in terms of a time order of the packet flows and/or a duration of one or more of the packet flows.
At step 640, the characteristic traffic pattern determined at step 630 is stored as being characteristic for the user activity, e.g., in a database which maps the characteristic traffic pattern to the user activity, such as the mapping database 200.
The stored characteristic traffic pattern may then be used for determining an actual user activity related to a UE, by comparing further monitored data traffic related to the same UE(s) to the characteristic traffic pattern and/or by monitoring data traffic related to one or more further UEs, not involved in the detection of the user activity at step 620, and comparing this data traffic to the stored characteristic traffic pattern.
Fig. 7 shows a flowchart for illustrating a method for analyzing data traffic, which may be used to implement the above-mentioned concepts. The steps of the method may for example be performed in a service management system of the communication network, e.g., as illustrated in Fig. 5.
At step 710, data traffic related to at least one UE, typically data traffic to and/or from the UE, is monitored. This may for example be accomplished by a traffic monitor in the communication network, such as the traffic monitor 80. The monitoring may for example involve DPI or other packet inspection technologies. In some implementations, the monitoring may involve detection of packet flows in the monitored data traffic. At step 720, the monitored data traffic is compared to one or more characteristic traffic patterns. Such characteristic traffic pattern is stored as being characteristic for a certain user activity, e.g., in a database which maps the characteristic traffic pattern to the user activity, such as the mapping database 200. In particular, the characteristic traffic pattern may allow for distinguishing the user activity from one or more other user activities, which are associated with different traffic patterns.
The user activity typically involves active usage of a user interface of the UE. For example, such user interface may be implemented by a visual input and/or output device of the UE, e.g., a display or camera. The user interface may also be implemented by an acoustic input and/or output device of the UE, e.g., a microphone or loudspeaker. The user interface may also be implemented by one or more finger input sensors of the UE, such as a touchscreen, touchpad, keypad, or the like. The user activity may also involve usage of one or more specific applications on the UE.
The traffic pattern may be defined in terms of one or more packet flows of a certain traffic type. Preferably, the traffic pattern is defined in terms of a time order of the packet flows and/or a duration of one or more of the packet flows. At step 730, an actual user activity related to the UE is determined on the basis of the comparison of step 720. At step 740, the determined actual user activity may then be used for managing one or more services provided to the UE, e.g., in terms of QoS or by providing targeted advertisements or offers to the user. It is to be understood that the methods of Figs. 6 and 7 may also be performed in combination, e.g., by using the method of Fig. 6 to learn one ore more characteristic traffic patterns and using the method of Fig. 7 to determine actual user activities by comparison of monitored data traffic to such learned characteristic traffic patterns. Fig. 8 illustrates an exemplary implementation of a traffic analysis node 800 which may be used to implement the above concepts. The illustrated structures may for example be used to implement functionalities as illustrated in Fig. 2 or 5.
In the illustrated example, the traffic analysis node 800 includes at least one interface 840, which may be used for monitoring data traffic in a communication network. For this purpose, the interface 840 may be used to receive the monitored data traffic or to receive information concerning the monitored traffic from other nodes, such as the traffic monitor 80 or a UE. The interface 840 may also be used to receive indications of user activities, such as the activity logs 120 from UEs.
Further, the traffic analysis node 800 includes one or more processor(s) 850 coupled to the interface 840 and a memory 860 coupled to the processor(s) 850. The memory 860 may include a read-only memory (ROM), e.g., a flash ROM, a random-access memory (RAM), e.g., a dynamic RAM (DRAM) or static RAM (SRAM), a mass storage, e.g., a hard disk or solid state disk, or the like. The memory 860 includes suitably configured program code modules to be executed by the processor(s) 850 so as to implement the above-described functionalities of the traffic analysis system 100 and/or service management system 300. More specifically, the program code modules in the memory 860 may include a monitoring module 870 so as to implement the above-described functionalities of monitoring data traffic related to one or more UEs. Further, the program code modules in the memory 860 may also include an analysis module 880 so as to implement the above-mentioned functionalities of correlating detected user activities to traffic patterns to determine a characteristic data pattern for a user activity, and/or of comparing the monitored data traffic to one or more stored characteristic traffic patterns to determine the actual user activity of a UE. Further, the memory 860 may also include a traffic pattern database 890 for storing the learnt characteristic traffic pattern(s).
It is to be understood that the structure as illustrated in Fig. 8 is merely schematic and that the traffic analysis node 800 may actually include further components which, for the sake of clarity, have not been illustrated, e.g., further interfaces or further processors. Also, it is to be understood that the memory 860 may include further types of program code modules, which have not been illustrated, e.g., program code modules for implementing known traffic analysis functionalities, machine learning algorithms, and/or comparison algorithms. In some implementations, also a computer program may be provided for implementing functionalities of the traffic analysis node 800, e.g., in the form of a medium storing the program code modules to be stored in the memory 860 or by making such program code available for download.
As can be seen, the concepts as described above may be used for determining the actual user activity of a UE and to distinguish between data traffic generated by applications or processes on the UE which are executed in the background, without directly involving the user, and data traffic which is due to specific user activities, i.e., involve active participation of the user, such as activities involving usage of applications currently presenting information on the display or receiving user inputs. The concepts may be implemented in an efficient manner by allowing to use only a limited set of UEs for learning the characteristic traffic pattern(s), while the learnt characteristic traffic patterns may be applied to a much larger group of UEs, e.g., to all UEs connecting to the communication network, without requiring any specific participation from this larger group of UEs.
It is to be understood that the examples and embodiments as explained above are merely illustrative and susceptible to various modifications. For example, the concepts could be used in connection with various types of communication networks, e.g., including the examples of communication networks as mentioned herein, but also other types of communication networks, e.g., converged networks offering both cellular mobile access and fixed broadband access. Further, the concepts may be applied in relation to various kinds of user activities.
Moreover, it is to be understood that the above concepts may be implemented by using correspondingly designed software to be executed by one or more processors of an existing device, or by using dedicated device hardware. Also, the traffic analysis node as described herein may be implemented by a single device or by multiple devices, e.g., a device cloud or system of cooperating devices. Further, at least some of the illustrated functionalities for learning the characteristic traffic pattern(s) could be implemented in a UE.

Claims

Claims
1 . A method for analyzing data traffic, the method comprising:
monitoring data traffic related to at least one user equipment (50-1 , 50-2, 50-3);
detecting a user activity related to the at least one user equipment (50-1 , 50-2, 50-3);
determining that a traffic pattern in the monitored data traffic is characteristic for said user activity; and
storing the traffic pattern as being characteristic for said user activity.
2. The method according to claim 1 ,
wherein the detecting of said user activity is performed on the basis of an indication provided by an activity logging application executed on the at least one user equipment (50-1 , 50-2, 50-3).
3. The method according to claim 1 or 2,
wherein said user activity involves active usage of a user interface of the user equipment (50-1 , 50-2, 50-3).
4. The method according to claim 3,
wherein said user interface is implemented by a visual input and/or output device of the user equipment (50-1 , 50-2, 50-3).
5. The method according to claim 3 or 4,
wherein said user interface is implemented by an acoustic input and/or output device of the user equipment (50-1 , 50-2, 50-3).
6. The method according to any one of claims 3 to 5,
wherein said user interface is implemented by one or more finger input sensors of the user equipment (50-1 , 50-2, 50-3).
7. The method according to any one of the preceding claims,
wherein the traffic pattern allows for distinguishing the user activity from one or more other user activities.
8. The method according to any one of the preceding claims,
wherein the traffic pattern comprises one or more packet flows of a certain traffic type.
9. The method according to claim 8,
wherein the traffic pattern comprises a time order of the packet flows.
10. The method according to claim 8 or 9,
wherein the traffic pattern comprises a duration of at least one of the packet flows.
1 1. The method according to any one of the preceding claims, comprising:
monitoring further data traffic related to the at least one user equipment (50-1 , 50-2, 50-3) or data traffic related to at least one further user equipment (50-4, 50-5, 50-6);
comparing the monitored data traffic to the traffic pattern which is stored as being characteristic for said user activity; and
on the basis of the comparison, determining that an actual user activity related to the at least one user equipment (50-1 , 50-2, 50-3, 50-4, 50-5, 50-6) corresponds to said user activity for which the traffic pattern is characteristic.
12. The method according to claim 1 1 , comprising:
on the basis of the determined actual user activity, managing one or more services provided to the user of the user equipment (50-1 , 50-2, 50-3, 50-4, 50-5, 50-6).
13. A method for analyzing data traffic, the method comprising:
monitoring data traffic related to a user equipment (50-1 , 50-2, 50-3, 50-4, 50-5, 50-6);
comparing the monitored data traffic to a traffic pattern which is stored as being characteristic for a user activity; and
on the basis of the comparison, determining that an actual user activity related to the user equipment (50-1 , 50-2, 50-3, 50-4, 50-5, 50-6) corresponds to said user activity for which the traffic pattern is characteristic.
14. The method according to claim 13, comprising:
on the basis of the determined actual user activity, managing one or more services provided to the user of the user equipment (50-1 , 50-2, 50-3, 50-4, 50-5, 50-6).
15. The method according to claim 13 or 14,
wherein said user activity involves active usage of a user interface of the user equipment (50-1 , 50-2, 50-3).
16. The method according to claim 15, wherein said user interface is implemented by a visual input and/or output device of the user equipment (50-1 , 50-2, 50-3).
17. The method according to claim 15 or 16,
wherein said user interface is implemented by an acoustic input and/or output device of the user equipment (50-1 , 50-2, 50-3).
18. The method according to any one of claims 15 to 17,
wherein said user interface is implemented by one or more finger input sensors of the user equipment (50-1 , 50-2, 50-3).
19. The method according to any one of claims 13 to 18,
wherein the traffic pattern allows for distinguishing the user activity from one or more other user activities.
20. The method according to any one of claims 13 to 19,
wherein the traffic pattern comprises one or more packet flows of a certain traffic type.
21. The method according to claim 20,
wherein the traffic pattern comprises a time order of the packet flows.
22. The method according to claim 20 or 21 ,
wherein the traffic pattern comprises a duration of at least one of the packet flows.
23. A device (800; 50-1 , 50-2, 50-3) for a communication network, the device (800) comprising:
an interface for receiving data traffic related to at least one user equipment (50-1 , 50-2, 50-3, 50-4, 50-5, 50-6); and
at least one processor (850),
wherein the at least one processor (850) is configured to:
- monitor the data traffic related to the at least one user equipment (50-1 , 50-2, 50-3),
- detect a user activity related to the at least one user equipment (50-1 , 50-2, 50-3),
- determine that a traffic pattern in the monitored data traffic is characteristic for the detected user activity; and
- store the traffic pattern as being characteristic for the user activity.
24. The device (800) according to claim 23, wherein the at least one processor (850) is configured to detect said user activity on the basis of an indication provided by an activity logging application executed on the at least one user equipment (50-1 , 50-2, 50-3).
25. The device (800) according to claim 23 or 24,
wherein said user activity involves active usage of a user interface of the user equipment (50-1 , 50-2, 50-3).
26. The device (800) according to claim 25,
wherein said user interface is implemented by a visual input and/or output device of the user equipment (50-1 , 50-2, 50-3).
27. The device (800) according to claim 25 or 26,
wherein said user interface is implemented by an acoustic input and/or output device of the user equipment (50-1 , 50-2, 50-3).
28. The device (800) according to any one of claims 25 to 27,
wherein said user interface is implemented by one or more finger input sensors of the user equipment (50-1 , 50-2, 50-3).
29. The device (800) according to any one of claims 23 to 28,
wherein the traffic pattern allows for distinguishing the user activity from one or more other user activities.
30. The device (800) according to any one of claims 23 to 29,
wherein the traffic pattern comprises one or more packet flows of a certain traffic type.
31. The device (800) according to claim 30,
wherein the traffic pattern comprises a time order of the packet flows.
32. The device (800) according to claim 30 or 31 ,
wherein the traffic pattern comprises a duration of at least one of the packet flows.
33. The device (800) according to claim 23,
wherein the device (800) is configured to operate in accordance with a method as defined in any one of claims 1 to 10.
34. A device (800) for a communication network, the device (100) comprising: an interface for receiving data traffic related to a user equipment (50-1 , 50-2, 50-3, 50-4, 50- 5, 50-6); and
at least one processor (850),
wherein the at least one processor (850) is configured to:
- monitor the data traffic related to the user equipment (50-1 , 50-2, 50-3, 50-4, 50-5, 50-6);
- compare the monitored data traffic to a traffic pattern stored as being characteristic for a user activity, and
- on the basis of the comparison, determine that an actual user activity related to the user equipment (50-1 , 50-2, 50-3, 50-4, 50-5, 50-6) corresponds to said user activity for which the traffic pattern is characteristic.
35. The device (800) according to claim 34,
wherein the at least one processor is configured to manage, on the basis of the determined actual user activity, one or more services provided to the user of the user equipment (50-1 , 50-2, 50-3, 50-4, 50-5, 50-6).
36. The device (800) according to claim 34 or 35,
wherein said user activity involves active usage of a user interface of the user equipment (50-1 , 50-2, 50-3).
37. The device (800) according to claim 36,
wherein said user interface is implemented by a visual input and/or output device of the user equipment (50-1 , 50-2, 50-3).
38. The device (800) according to claim 36 or 37,
wherein said user interface is implemented by an acoustic input and/or output device of the user equipment (50-1 , 50-2, 50-3).
39. The device (800) according to any one of claims 36 to 38,
wherein said user interface is implemented by one or more finger input sensors of the user equipment (50-1 , 50-2, 50-3).
40. The device (800) according to any one of claims 34 to 39,
wherein the traffic pattern allows for distinguishing the user activity from one or more other user activities.
41. The device (800) according to any one of claims 34 to 40,
wherein the traffic pattern comprises one or more packet flows of a certain traffic type.
42. The device (800) according to claim 41 ,
wherein the traffic pattern comprises a time order of the packet flows.
43. The device (800) according to claim 42 or 43,
wherein the traffic pattern comprises a duration of at least one of the packet flows.
44. The device (800) according to claim 34,
wherein the device (800) is configured to operate in accordance with a method as defined in any one of claims 13 to 22.
45. A computer program comprising program code to be executed by at least one processor of a device (100, 50-1 , 50-2, 50-3) for a communication network, wherein execution of the program code causes the device (100, 50-1 , 50-2, 50-3) to perform a method as defined in any one of claims 1 to 22.
PCT/EP2013/069007 2013-09-13 2013-09-13 Traffic analysis for user activity detection WO2015036033A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2013/069007 WO2015036033A1 (en) 2013-09-13 2013-09-13 Traffic analysis for user activity detection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2013/069007 WO2015036033A1 (en) 2013-09-13 2013-09-13 Traffic analysis for user activity detection

Publications (1)

Publication Number Publication Date
WO2015036033A1 true WO2015036033A1 (en) 2015-03-19

Family

ID=49223757

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2013/069007 WO2015036033A1 (en) 2013-09-13 2013-09-13 Traffic analysis for user activity detection

Country Status (1)

Country Link
WO (1) WO2015036033A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006099586A1 (en) * 2005-03-14 2006-09-21 Qualcomm Incorporated Method and apparatus for monitoring usage patterns of a wireless device
WO2011154038A1 (en) * 2010-06-09 2011-12-15 Telefonaktiebolaget Lm Ericsson (Publ) Traffic classification
GB2499089A (en) * 2011-12-14 2013-08-07 Seven Networks Inc Providing reports to mobile network operators based on optimisiciency of wireless network traffic and/or battery consumption reduction

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006099586A1 (en) * 2005-03-14 2006-09-21 Qualcomm Incorporated Method and apparatus for monitoring usage patterns of a wireless device
WO2011154038A1 (en) * 2010-06-09 2011-12-15 Telefonaktiebolaget Lm Ericsson (Publ) Traffic classification
GB2499089A (en) * 2011-12-14 2013-08-07 Seven Networks Inc Providing reports to mobile network operators based on optimisiciency of wireless network traffic and/or battery consumption reduction

Similar Documents

Publication Publication Date Title
US11562380B2 (en) System and method for applying tracing tools for network locations
US8782215B2 (en) Performance testing in a cloud environment
US20180314514A1 (en) Techniques to isolating a portion of an online computing service
US20190065738A1 (en) Detecting anomalous entities
US20220131767A1 (en) SYSTEM FOR IDENTIFYING AND ASSISTING IN THE CREATION AND IMPLEMENTATION OF A NETWORK SERVICE CONFIGURATION USING HIDDEN MARKOV MODELS (HMMs)
US20150135320A1 (en) Methods and apparatus to identify malicious activity in a network
US20130183951A1 (en) Dynamic mobile application classification
US20120317151A1 (en) Model-Based Method for Managing Information Derived From Network Traffic
US10984452B2 (en) User/group servicing based on deep network analysis
US9628559B2 (en) Optimizing resource downloads or streams using a collection of trusted network connected endpoints
US11483337B2 (en) Threat mitigation system and method
US20140304653A1 (en) Method For Generating Rules and Parameters for Assessing Relevance of Information Derived From Internet Traffic
US9449104B2 (en) Method and apparatus for deriving and using trustful application metadata
CN105553770B (en) Data acquisition control method and device
CN110233774B (en) Detection method, distributed detection method and system for Socks proxy server
US20220166801A1 (en) Threat mitigation system and method
US11516138B2 (en) Determining network flow direction
WO2015036033A1 (en) Traffic analysis for user activity detection
US10581916B2 (en) System and method for identifying cyber-attacks
US11516226B2 (en) Contextual analyses of network traffic
US11947707B2 (en) On-device decision making
Tung et al. VoIP packets filtering for mobile instant messaging using N-gram models
US20240184857A1 (en) Device type classification based on usage patterns
US20220222471A1 (en) Telecommunication network monitoring
Claffy The 5th workshop on Active Internet Measurements (AIMS-5) report

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13765331

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13765331

Country of ref document: EP

Kind code of ref document: A1