Session-Based Traffic Analysis System

1. A session-based traffic analysis system to analyze two-way traffic based on one-way traffic, with respect to broadband traffic using a transmission control protocol (TCP), the session-based traffic analysis system comprising: at least one processor which implements a traffic mirror operatively coupled to a broadband network which monitors the one-way traffic transmitted from the broadband network on the TCP, the one-way traffic corresponding to either upstream traffic or downstream traffic; at least one processor which implements a traffic analysis subsystem operatively coupled to a nontransitory storage medium and operatively coupled to the traffic mirror to receive the traffic monitored thereby, the traffic analysis subsystem: extracts a sequence number and an acknowledgement number for each set of session information from the traffic monitored by the traffic mirror; updates an initial value and a final value for each of the extracted sequence number and the extracted acknowledgement number; determines an amount of traffic transmitted in a direction in which traffic is collected based on the initial value and the final value of the sequence number; determines an amount of traffic transmitted in a direction opposite to the direction in which traffic is collected based on the initial value and the final value of the acknowledgement number; and stores a traffic analysis result value in the nontransitory storage medium based at least in part on at least one of the determined amount of traffic transmitted in a direction in which traffic is collected or the determined amount of traffic transmitted in a direction opposite to the direction in which traffic is collected.

2. The session-based traffic analysis system of claim 1 , wherein the traffic analysis subsystem extracts, from TCP header information of the traffic, sequence information to be used as a sequence number value, acknowledgement information to be used as an acknowledgement number value, and source Internet protocol (IP), destination IP, source port, and destination port values of an IP header and a TCP header to be used as a session information value.

3. The session-based traffic analysis system of claim 1 , wherein the traffic analysis subsystem stores a sequence number and an acknowledgement number of a session information value initially collected as initial values of the sequence number and the acknowledgement number, and continuously stores sequence numbers and acknowledgement numbers collected thereafter for the same session information value, as final values of the sequence number and the acknowledgement number.

4. The session-based traffic analysis system of claim 3 , wherein the traffic analysis subsystem: calculates the initial values and the final values of the sequence number and the acknowledgement number, determines an amount of data transmitted in the direction the traffic is collected in based on an equation: “final value of sequence number−initial value of sequence number”, and determines an amount of data received in the direction opposite to the direction the traffic is collected in based on an equation: “final value of acknowledgment number−initial value of acknowledgment number”.

5. A traffic analysis system, the traffic analysis system comprising: at least one processor which implements a traffic mirror operatively coupled to a network which monitors one-way traffic on a transmission control protocol (TCP), the one-way traffic corresponding to either a first direction or a second direction, wherein traffic in the second direction is opposite to traffic in the first direction; at least one processor which implements a traffic analysis subsystem operatively coupled to the traffic mirror to receive the traffic monitored thereby, the traffic analysis subsystem: extracts a sequence number and an acknowledgement number for session information from the monitored one-way traffic; determines an initial value of the sequence number and a final value of the sequence number; determines an initial value of the acknowledgement number and a final value of the acknowledgement number; determines an amount of traffic in the first direction based on a difference between the initial value of the sequence number and the final value of the sequence number; and determines an amount of traffic in the second direction based on a difference between the initial value of the acknowledgement number and the final value of the acknowledgement number.

6. The traffic analysis system of claim 5 , wherein the traffic analysis subsystem: extracts the sequence number from a TCP header of the one-way traffic, extracts the acknowledgement number from the TCP header of the one-way traffic, and obtains the session information from a source Internet Protocol (IP) address, a destination IP address, a source port, and a destination port of the TCP header of the one-way traffic.

7. The traffic analysis system of claim 5 , wherein the traffic analysis subsystem: determines, to be the initial value of the sequence number, a sequence number initially collected for the session information, and determines, to be the initial value of the acknowledgement number, an acknowledgement number initially collected for the session information.

8. The traffic analysis system of claim 7 , wherein the traffic analysis subsystem: updates, to be the final value of the sequence number, a sequence number collected subsequently for the session information; and updates, to be the final value of the acknowledgement number, an acknowledgement number collected subsequently for the session information.

9. The traffic analysis system of claim 5 , further comprising: a nontransitory storage unit for periodically logging and storing a traffic analysis result.

10. The traffic analysis system of claim 5 , wherein traffic in the second direction is downstream traffic when traffic in the first direction is upstream traffic, and traffic in the second direction is upstream traffic when traffic in the first direction is downstream traffic.

11. A traffic analysis method, the traffic analysis method comprising: monitoring, by a processor-based traffic mirror, one-way traffic on a transmission control protocol (TCP), the one-way traffic corresponding to either traffic in a first direction or traffic in a second direction; extracting, by a processor-based traffic analysis subsystem, a sequence number and an acknowledgement number for session information from the monitored one-way traffic; determining, by the processor-based traffic analysis subsystem, an initial value of the sequence number and a final value of the sequence number; determining, by the processor-based traffic analysis subsystem, an initial value of the acknowledgement number and a final value of the acknowledgement number; determining, by the processor-based traffic analysis subsystem, an amount of traffic in the first direction based on the initial value of the sequence number and the final value of the sequence number; determining, by the processor-based traffic analysis subsystem, an amount of traffic in the second direction based on the initial value of the acknowledgement number and the final value of the acknowledgement number, wherein traffic in the second direction is opposite to traffic in the first direction.

12. The traffic analysis method of claim 11 , wherein the extracting of the sequence number and the acknowledgement number comprises: extracting the sequence number from a TCP header of the one-way traffic; extracting the acknowledgement number from the TCP header of the one-way traffic; and obtaining the session information from a source Internet Protocol (IP) address, a destination IP address, a source port, and a destination port of the TCP header of the one-way traffic.

13. The traffic analysis method of claim 11 , wherein the extracting of the sequence number and the acknowledgement number comprises: determining, to be the initial value of the sequence number, a sequence number initially collected for the session information, and determining, to be the initial value of the acknowledgement number, an acknowledgement number initially collected for the session information.

14. The traffic analysis method of claim 13 , wherein the extracting of the sequence number and the acknowledgement number further comprises: updating, to be the final value of the sequence number, a sequence number collected subsequently for the session information as, and updating, to be the final value of the acknowledgement number, an acknowledgement number collected subsequently for the session information.

15. The traffic analysis method of claim 11 , wherein the determining of an amount of traffic in the first direction based on the initial value of the sequence number and the final value of the sequence number comprises: determining an amount of traffic in the first direction based on a difference between the initial value of the sequence number and the final value of the sequence number, and the determining an amount of traffic in a second direction based on the initial value of the acknowledgement number and the final value of the acknowledgement number comprises: determining an amount of traffic in a second direction based on a difference between the initial value of the acknowledgement number and the final value of the acknowledgement number.