Internet Engineering Task Force H. Yu Internet-Draft Huazhong University of Science and Technology Intended status: Informational 23 April 2025 Expires: 25 October 2025 Network Traffic Analysis and Network Modal Mapping Method draft-traffic-analysis-and-network-mode-mapping-00 Abstract This document presents a framework for network traffic classification and modality mapping based on large language models (LLMs), addressing the inefficiencies of traditional methods in dynamic network environments. The proposed approach automates multi- dimensional traffic feature extraction and intelligent decision- making to achieve precise alignment between traffic patterns and computing-storage-transmission requirements. The framework comprises two phases: pre-training (generating multi-modal traffic representations from pcap data) and mapping (dynamically formulating resource allocation strategies). It supports anomaly detection, QoS assurance, and multi-service collaboration, thereby significantly enhancing resource utilization efficiency and network service performance. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 25 October 2025. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. Yu Expires 25 October 2025 [Page 1] Internet-Draft Traffic Analysis and Modal Mapping April 2025 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Status of This Memo . . . . . . . . . . . . . . . . . . . . . 2 2. Copyright Notice . . . . . . . . . . . . . . . . . . . . . . 2 3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 4. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 5. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 3 6. Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . 5 7. Framework Overview . . . . . . . . . . . . . . . . . . . . . 5 8. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 6 8.1. Dynamic Resource Allocation . . . . . . . . . . . . . . . 6 8.2. Anomaly Detection . . . . . . . . . . . . . . . . . . . . 6 8.3. Application-Aware Networking . . . . . . . . . . . . . . 6 9. Security Considerations . . . . . . . . . . . . . . . . . . . 7 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 11.1. Normative References . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 1. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). This draft will expire on 15 July 2025. 2. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents. Yu Expires 25 October 2025 [Page 2] Internet-Draft Traffic Analysis and Modal Mapping April 2025 3. Introduction This document presents a novel framework that employs Large Language Models (LLMs) to automate network traffic classification and resource mapping. As network traffic experiences exponential growth, infrastructure complexity increases, and vertical industries exhibit converged requirements for storage, transmission, and computing resources in intelligent computing applications, traditional approaches relying on manual feature engineering and static classification methods have become inefficient and inadequate for dynamic network environments. The proposed framework addresses these challenges through the following methodology: Raw pcap traffic data is first transformed into multi-dimensional feature representations. These features are then processed by LLMs to generate adaptive traffic classification models capable of recognizing diverse network flow patterns. Subsequently, the framework performs intelligent resource allocation by mapping classified traffic types to corresponding network requirements (e.g., bandwidth, latency, reliability). Finally, the framework establishes accurate and dynamic mappings between network traffic patterns and their corresponding resource requirements through continuous learning and optimization mechanisms. 4. Scope This framework applies to network operators and service providers requiring dynamic Quality of Service(QoS) management, anomaly detection, and application-aware resource allocation. It defines methodologies for integrating LLMs into traffic analysis pipelines and mapping multi-dimensional SFC features to network modalities. 4.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 5. Terms and Definitions Pre-training: Pre-training refers to the initial training process of a model on large-scale unsupervised data, aiming to learn general features and patterns within the data. This stage typically adopts self-supervised learning methods, such as masked language modeling (MLM) or autoregressive language modeling (AR). Yu Expires 25 October 2025 [Page 3] Internet-Draft Traffic Analysis and Modal Mapping April 2025 Fine-tuning: Fine-tuning involves training a pre-trained model on supervised data specific to a particular task, allowing it to adapt to specialized datasets and improve performance for specific applications. Pcap: A file format used to store network traffic data for analysis. Pcap files record packets transmitted in a network, including source and destination addresses, protocol types, payload content, and other key information. CSV: A file format used for storing structured tabular data. CSV files use commas to separate fields, making them suitable for data analysis, machine learning training datasets, and information exchange between different applications. Large Language Model-A deep learning model with billions or even trillions of parameters capable of processing and generating natural language text. LLMs are trained on large-scale text datasets and possess abilities such as comprehension, summarization, translation, and reasoning. They are widely used in question-answering systems, dialogue generation, text summarization, and other natural language processing tasks. Multi-level Flow Representation-A method for representing and processing network traffic data by extracting features at multiple levels, such as packet level, flow level, and session level. MFR enables a more comprehensive analysis of network traffic characteristics. Low-Rank Adaptation-An efficient fine-tuning method for LLMs that introduces low-rank matrices in the parameter space of a pre-trained model. LoRA reduces computational and storage costs while maintaining model performance. Quality of Service-A network mechanism that ensures performance metrics such as throughput, latency, jitter, and packet loss rate during data transmission. QoS is critical for applications that require stable and predictable network performance. Guaranteed Bit Rate-A QoS mechanism that ensures a minimum bit rate for a specific data flow. GBR is used in applications requiring stable bandwidth allocation, such as voice calls and video conferencing, to maintain consistent service quality. Non-Guaranteed Bit Rate-A QoS mechanism where no minimum bit rate is guaranteed for data flows. Non-GBR is suitable for applications with flexible bandwidth needs, such as web browsing and social media. Yu Expires 25 October 2025 [Page 4] Internet-Draft Traffic Analysis and Modal Mapping April 2025 5G QoS Identifier-A QoS identifier in 5G networks used to differentiate various types of traffic and define QoS requirements for different services. 5QI helps ensure appropriate network resource allocation for applications like high-definition video streaming, cloud gaming, and industrial automation. 6. Abbreviations LLM: Large Language Model MFR: Multi-level Flow Representation LoRA: Low-Rank Adaptation Qos: Quality of Service GBR: Guaranteed Bit Rate Non-GBR: Non-Guaranteed Bit Rate 5QI: 5G QoS Identifier 7. Framework Overview The framework operates in two phases: 1. Pre-training Phase: Converts raw pcap data into byte streams, CSV features, MFR matrices, and traffic graphs. Fine-tunes an LLM using LoRA to generate a traffic classification model. 2. Demand Mapping Phase: Applies the model to classify live traffic and maps categories to network modalities (e.g., GBR/Non-GBR) via predefined rules. Continuously optimizes configurations based on real-time feedback. Yu Expires 25 October 2025 [Page 5] Internet-Draft Traffic Analysis and Modal Mapping April 2025 +-------------+ +-------------------------+ +---------------------+ +--------------------------+ | Raw Traffic | --> | Byte Stream CSV Features | --> | Large Language Model | --> | Traffic Classification Model | | Data | | MFR Matrix Traffic Graph | | (Low-Rank Adaptation) | +--------------------------+ +-------------+ +--------------------------+ +---------------------+ | | V V +-----------------------------+ +----------------------+ | Pre-collected Knowledge Base | | Modal Network Demand | | Traffic Characteristics | --> | Mapping Rules | +-----------------------------+ +----------------------+ | V +------------------+ +------------------+ +-----------------------+ +--------------------------+ | Demand Mapping | <--| Traffic Classification | | Byte Stream, CSV Features | <-- | Raw Traffic Data | | Configuration | | Model | | MFR Matrix Traffic Graph | +--------------------------+ +------------------+ +------------------+ +------------------------+ | V +-----------------------+ +---------------------------+ +----------------------+ | Based on User Demand | | Traffic Analysis Storage | | Network Verification | | Estimation | + | Transmission Computation | +----------------------+ +-----------------------+ +----------------------------+ Figure 1 8. Use Cases 8.1. Dynamic Resource Allocation Prioritizes high-QoS traffic (e.g., video conferencing) by allocating guaranteed bandwidth via GBR, while deprioritizing Non-GBR traffic (e.g., file downloads). 8.2. Anomaly Detection Identifies deviations from learned traffic patterns (e.g., DDoS attacks) and triggers alerts for mitigation. 8.3. Application-Aware Networking Maps application-specific traffic (e.g., streaming video) to predefined 5QI profiles for optimized QoS. Yu Expires 25 October 2025 [Page 6] Internet-Draft Traffic Analysis and Modal Mapping April 2025 9. Security Considerations Implementations MUST anonymize pcap data to prevent leakage of sensitive information. LLM models and knowledge bases SHOULD be protected against unauthorized access. Real-time monitoring is RECOMMENDED to detect adversarial inputs. 10. IANA Considerations This document makes no requests to IANA. 11. References 11.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", RFC 8174, May 2017, . Authors' Addresses Hui Yu Huazhong University of Science and Technology Wuhan, China Email: hui_yu@hust.edu.cn Author's Address Hui Yu Huazhong University of Science and Technology Wuhan China Email: hui_yu@hust.edu.cn Yu Expires 25 October 2025 [Page 7]