HTTP constitutes a dominant part of the Internet traffic. Today's web traffic mostly consists of HTTP/1 and the much younger HTTP/2. As the traffic of both protocols is increasingly exchanged over encryption, discerning which flows in the network belong to each protocol is getting harder. Identifying flows per protocol is however very important, e.g., for building traffic models for simulations and benchmarking, and enabling operators and researchers to track the adoption of HTTP/2. This paper makes two contributions. First, using datasets of passive measurements collected in operational networks and Deep Packet Inspection (DPI), we characterize differences in HTTP/1 and HTTP/2 traffic. We show that the adoption of HTTP/2 among major providers is high and growing. Moreover, when comparing the same services over HTTP/1 or HTTP/2, we notice that HTTP/2 flows are longer, but formed by smaller packets. This is likely a consequence of new HTTP/2 features and the reorganization of servers and clients to profit from such features. Second, we present a lightweight method for the classification of encrypted web traffic into appropriate HTTP versions. In order to make the method practically feasible, we use machine learning with basic information commonly available in aggregated flow traces (e.g., NetFlow records). We show that a small labeled dataset is sufficient for training the system, and it accurately classifies traffic for several months, potentially from different measurement locations, without the need for retraining. Therefore, the method is simple, scalable, and applicable to scenarios where DPI is not possible.
How HTTP/2 is changing web traffic and how to detect it
Drago, Idilio;
2017-01-01
Abstract
HTTP constitutes a dominant part of the Internet traffic. Today's web traffic mostly consists of HTTP/1 and the much younger HTTP/2. As the traffic of both protocols is increasingly exchanged over encryption, discerning which flows in the network belong to each protocol is getting harder. Identifying flows per protocol is however very important, e.g., for building traffic models for simulations and benchmarking, and enabling operators and researchers to track the adoption of HTTP/2. This paper makes two contributions. First, using datasets of passive measurements collected in operational networks and Deep Packet Inspection (DPI), we characterize differences in HTTP/1 and HTTP/2 traffic. We show that the adoption of HTTP/2 among major providers is high and growing. Moreover, when comparing the same services over HTTP/1 or HTTP/2, we notice that HTTP/2 flows are longer, but formed by smaller packets. This is likely a consequence of new HTTP/2 features and the reorganization of servers and clients to profit from such features. Second, we present a lightweight method for the classification of encrypted web traffic into appropriate HTTP versions. In order to make the method practically feasible, we use machine learning with basic information commonly available in aggregated flow traces (e.g., NetFlow records). We show that a small labeled dataset is sufficient for training the system, and it accurately classifies traffic for several months, potentially from different measurement locations, without the need for retraining. Therefore, the method is simple, scalable, and applicable to scenarios where DPI is not possible.
| File | Dimensione | Formato | |
|---|---|---|---|
|
08002899.pdf
Accesso riservato
Dimensione
6.23 MB
Formato
Adobe PDF
|
6.23 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
