Network Traffic Analysis with Process Mining: The UPSIDE Case Study

This paper proposes a process mining-based method that analyzes online gaming network traffic to unsupervisedly characterize device states as interpretable Petri nets and accurately classify different video games, demonstrating its effectiveness through the UPSIDE case study involving Clash Royale and Rocket League.

The Gist

Imagine you are a detective trying to figure out what kind of party is happening in a massive, noisy warehouse just by listening to the conversations between people.

That is essentially what this paper does, but instead of a party, it's an online video game, and instead of people talking, it's computer data packets zipping back and forth.

Here is the breakdown of their work, explained simply:

The Problem: The "Noisy Warehouse"

Online games like Clash Royale and Rocket League generate a huge amount of data. It's like a chaotic crowd where everyone is shouting at once.

• The Challenge: If you just look at the raw data, it's a mess. It's "interleaved" (mixed up) and "noisy" (full of static).
• The Old Way: Usually, computers use "Deep Learning" (AI) to guess what game is being played. But this is like a black box. The computer says, "I think it's Rocket League," but it can't tell you why. It's not very trustworthy if you need to explain the decision to a human.

The Solution: The "Process Mining" Detective

The authors propose a new method called Process Mining. Think of this not as a black box, but as a cartographer. They want to draw a map of how the data moves.

They use a technique to turn the messy noise into a clear, readable flowchart (called a Petri Net). Imagine turning a chaotic crowd into a diagram showing: "First, the player sends a move, then the server says 'Got it,' then the player sends another move."

How They Did It (The 4-Step Recipe)

1. Listening (Monitoring): They set up a "tap" on the network to record all the traffic from devices playing games during a big event called UPSIDE. They watched people playing Clash Royale (a strategy card game) and Rocket League (soccer with rocket-powered cars).
2. Chunking (Feature Extraction): The data stream is too long to analyze all at once. So, they chopped it into small, manageable "windows" (like cutting a long movie into 5-second clips).
3. Grouping (State Characterization): They used a smart clustering algorithm to group these clips.
   • Analogy: Imagine you have a pile of mixed-up socks. You sort them into piles: "Socks with holes," "Socks with stripes," and "Socks with holes and stripes."
   • In their case, they sorted the data into different "states" based on what the computer was doing (e.g., "Sending a big update," "Waiting for a reply," "Sending a quick ping").
4. Mapping (Modeling): For each group of socks (state), they drew a flowchart (Petri Net) showing the rules of that specific behavior.
   • The Result: They ended up with a set of clear, interpretable maps. One map showed how Clash Royale talks to its server, and another showed how Rocket League talks to its server.

The Experiment: Can They Tell the Games Apart?

They tested their method to see if they could look at a piece of network traffic and say, "Ah, this is Clash Royale," or "This is Rocket League."

• The Twist: They didn't just look at the data; they looked at the flow of the data.
• The Findings:
  • Too much data at once (Long Windows): If they looked at too long a chunk of time, the maps became blurry and generic. It was like trying to describe a whole movie by looking at one single frame; you lose the details.
  • Too few groups (Few States): If they only had two piles of socks, the maps were too simple and couldn't tell the games apart.
  • The Sweet Spot: They found the perfect balance: 3-second windows and 3 different states. This allowed them to distinguish the games with 88% accuracy.

Why This Matters (The "Aha!" Moment)

The coolest part of this paper is Interpretability.

• Old AI: "I think this is Rocket League." (You have to trust the robot).
• This Method: "I think this is Rocket League because I see a specific pattern where the player sends a burst of small messages, and the server replies with a specific type of 'Okay' packet."

They actually drew a picture (a Petri Net) that showed exactly how Clash Royale works: The player sends a "Push" (PSH) flag to say "Send this data immediately, don't wait!" This is a specific behavior unique to that game, and their method found it automatically without anyone telling them to look for it.

The Takeaway

This paper proves that you don't need a "black box" AI to understand complex network traffic. By using Process Mining, you can:

1. Clean up the noise in network data.
2. Draw clear maps (Petri Nets) of how different games behave.
3. Identify games accurately while being able to explain exactly why you made that choice.

It's like going from guessing the flavor of a soup by taking a blind sip, to actually seeing the recipe and saying, "Ah, I can taste the basil; this is definitely Italian soup!"

Technical Summary

Here is a detailed technical summary of the paper "Network Traffic Analysis with Process Mining: The UPSIDE Case Study."

1. Problem Statement

The rapid growth of online gaming generates massive amounts of network traffic, creating challenges for bandwidth management, load prediction, and malicious activity detection. While Deep Learning (DL) is commonly used for traffic analysis, it often suffers from a "black-box" nature, lacking interpretability.

Existing Process Mining (PM) approaches for network traffic face three specific hurdles:

1. Noisy and Interleaved Data: Network traffic lacks clear "case IDs" (distinct flow instances), making it difficult to apply standard PM algorithms.
2. Underfitting: Complex, interleaved data often leads to models that generalize too shallowly, failing to capture specific behavioral patterns.
3. Lack of Gaming-Specific Data: Most existing datasets focus on controlled IoT protocols (e.g., MQTT, OPC UA) or general traffic, lacking the dense, simultaneous traffic patterns characteristic of large-scale gaming events.

2. Methodology

The authors propose a four-phase, unsupervised method to encode gaming network traffic into interpretable behavioral models (Petri nets). The workflow is illustrated in Figure 1 of the paper:

• Phase 1: Network Traffic Monitoring

  • Data is collected via non-intrusive monitoring of devices ($D$) communicating with game servers ($S_r$).
  • Raw data (e.g., PCAP files) is modeled as a set of packets containing metadata, payload, and protocol information.

• Phase 2: Feature Extraction

  • Protocol Parsing: Traffic is filtered for a specific protocol (e.g., TCP).
  • Windowing: A sliding window ($W_L$) is applied to the packet stream to extract synthetic features (e.g., counts of specific TCP flags like SYN/ACK/PSH, average payload size). This transforms raw packets into structured windows ($P_{d,T,f}$).

• Phase 3: State Characterization

  • Unsupervised Clustering: Since labeled data is unavailable, K-means clustering is applied to the window statistics to identify distinct network states ($S$).
  • Alignment: The identified states are mapped back to the original packet stream, creating "state-wise" protocol data where every packet is tagged with its corresponding state.

• Phase 4: Network Traffic Modeling

  • Event Log Extraction: The state-wise data is split into traces based on the window length. Events are defined as combinations of direction and TCP flags.
  • Process Discovery: An Inductive Miner algorithm is applied to the event logs of each state to generate Petri Nets ($N_{d,T,s}$). These nets model the control flow and behavioral patterns of that specific state.

3. Key Contributions

• Unsupervised State Identification: A novel approach to identify network states without prior knowledge of the game or traffic labels, addressing the lack of case IDs in raw traffic.
• Interpretable Behavioral Modeling: Successfully encodes complex, noisy gaming traffic into Petri Nets, providing a visual and logical representation of traffic states (e.g., specific burst patterns) rather than just statistical probabilities.
• Fine-Tuning for Noise: Introduces a mechanism to balance model complexity by tuning the window length and number of states to mitigate underfitting.
• Gaming Traffic Classification: Demonstrates the ability to classify different video games (Clash Royale vs. Rocket League) based solely on the behavioral models derived from network traffic.

4. Experimental Results

The method was evaluated using the UPSIDE Case Study, involving traffic from 12 devices playing Clash Royale (CR) and Rocket League (RL) over a 5G/MPLS network.

• Modeling Quality (Experiment 1):

  • Similarity (sim): High similarity across devices playing the same game indicates consistent behavioral modeling.
  • Separation (sep): High separation values indicate that a device's traffic fits its own game model better than other devices' models.
  • Complexity (comp): Measured via arc degree. The study found that increasing window length increases complexity but can lead to underfitting (merging distinct behaviors).

• Classification Performance (Experiment 2):

  • Optimal Configuration: The best trade-off was achieved with a Window Length (WL) of 3 and 3 States.
  • Metrics:
    • Cosine Similarity (CosSim): 58.14% (Low similarity between CR and RL distributions, indicating good discriminability).
    • AUC (Area Under Curve): 88.30%, significantly outperforming other interpretable one-class classifiers (Isolation Forest, HBOS, Z-score, COPOD).
  • Interpretability: The resulting Petri nets revealed specific patterns. For example, State $s_2$ in Clash Royale was identified as a burst of client-to-server messages with the PSH flag (immediate forwarding), a pattern automatically discovered without human labeling.

5. Significance and Conclusion

• Bridging the Gap: The paper successfully bridges the gap between the high accuracy of Deep Learning and the explainability of Process Mining in the context of network traffic.
• Actionable Insights: The method provides not just a classification label, but a visual model (Petri Net) of how the traffic behaves, allowing network administrators to understand specific protocol interactions (e.g., burst patterns, acknowledgment loops).
• Practical Application: The results suggest that process mining is viable for real-world, noisy gaming traffic, provided that parameters (window size and state count) are carefully tuned to avoid underfitting.
• Future Work: The authors plan to refine heuristics for selecting optimal Petri nets, analyze overlapping windows, and extend the method to other IoT protocols.

In summary, this work demonstrates that Process Mining can effectively model, interpret, and classify complex online gaming traffic, offering a transparent alternative to black-box machine learning approaches.