DEEP PACKET INSPECTION (DPI) AS A SOLUTION TO MANAGING
SECURITY THREATS
Ian Betteridge
November 2013
THE SECURITY CHALLENGE
• More sophisticated and effective cyber attacks mean traditional security solutions e.g. firewall, IDS/IPS, UTM are struggling to cope.
• Need flexible and customized security policy control for real pro-active cyber-defense, especially to meet the high security needs of the government sector.
PRE-PROCESSING
• Defragmentation Engine
• Packet Re-ordering
• Connection subscriber tracking
• L3 encapsulation
CLASSIFICATION
• Protocol
• Protocol group
• Sub protocol
• Application
METADATA EXTRACTION
• Traffic statistics
• Users/Subscribers’ statistics
• QoS parameters
EXTRA FEATURES
• OS detection
• Client-Server identification
• Tethering detection
• Ads detection
• Custom defined protocol
• Fast Path
IPOQUE PACE = STATE OF THE ART DPI
• We use a variety of analysis techniques to reliably detect network protocols:
• Pattern matching
• Finite state machine
• Behavioral & heuristic analyses
• Lengths checks
• Frequency of packet sending/receiving
• Amount of connections opened by a single subscriber
• Encryption usage
PACE – HOW WE DO DPI
PRE-PROCESSING
• Key Benefits • Accuracy • Flexibility • High performance
PRE PROCESSING IMPROVES ACCURACY AND RATE OF CLASSIFICATION
• Defragmentation Engine
• Packet Re-ordering
• Connection subscriber tracking
• L3 encapsulation
CLASSIFICATION
Protocol
• Flash (Group Streaming)
• HTTP (Group Web)
Sub Protocol
• Media
Application
• YouTube (Group Streaming)
Pro
toco
l H
isto
ry
www.ipoque.com/sites/default/files/mediafiles/documents/data-sheet-supported-protocols.pdf
CLASSIFICATION
METADATA EXTRACTION
• Examples • User ID• IP address • Time and date of login/off • Host • User agent • Email- subject, body, sender,
receiver, attachment etc.• File transfer: sender, receiver,
login, attachment etc.
METADATA EXTRACTION
METADATA OUTPUT NORMALIZATIONApplications of same type produce the same Class Events:
- i.e. each webmail has a different look and feel and proprietary structure
- PADE Solution: normalize all required fields in a unified format
…
TIMESTAMP
SUBJECT
TO (CC/BCC)
FROM
METADATA EXAMPLE
EXTRA FEATURES
• Optimization features • Dynamic upgrades• SMP support• Fast path
EXTRA FEATURES
• Extra features • OS detection• Client-Server identification• Tethering detection • Advertising detection• Custom defined protocols
• Use application pre-filtering to recognize threats in adaptable flexible way
• Improve security intelligence to qualify and block an attack in real-time
• Gain efficiency by focusing only on real security threats
• Stay current with dynamic changes in protocols and applications
• Supports recognition of your custom-defined apps and protocols
• Granular customization of security policy rules
SECURITY BENEFITS IN USING DPI
Critical Infrastructure
Cyber Defense Solution
Off the Shelf Security ProductsAnti-Spam, anti-virus, anti-malware, firewall, DLK.
Cyber attacks
USING PACE AS A SECOND LINE OF DEFENSE
PACE DPI
HOW PACE ENSURES ACCURACY
Looking for parameters
a, b and c
Looking for parameters d, e, f, and g
Looking for parameters
x and y
80 % 97% 100%
PACE DETECTION RATE
71% Web Protocols22% Streaming Pro-tocols3% Unclassified Traf-fic1% VoIP Protocols1% P2P Protocols2% Other
All Network Elements: Protocol Groups
Over 95% detection rate
2,000+ Applications and Protocols recognised
Max. concurrent connections
Average packet size (Bytes)
Top 5 Protocols Gbps/core
418.720 569HTTP, FLASH,
BITTORRENT, MPEG, SKYPE
3,4
71.191 523 HTTP, SSL, RTP, FLASH, OPENVPN
5,6
Test Conditions:• Hardware: i3-2120 CPU @
3.30GHz • All application enabled• All features enabled
PACE PERFORMANCE TEST RESULTS
• Fast Performance
• High frequency of protocol and DPI engine updates
• High classification accuracy (no false positives)
• Low processor to memory consumption ratio
• Support for over 500 protocols
• Support for thousands of applications
PACE STRENGTHS AS A DPI SOLUTION
