DEEP PACKET INSPECTION (DPI) AS A SOLUTION TO MANAGING

SECURITY THREATS

Ian Betteridge

November 2013

THE SECURITY CHALLENGE

• More sophisticated and effective cyber attacks mean traditional security solutions e.g. firewall, IDS/IPS, UTM are struggling to cope.

• Need flexible and customized security policy control for real pro-active cyber-defense, especially to meet the high security needs of the government sector.

PRE-PROCESSING

• Defragmentation Engine

• Packet Re-ordering

• Connection subscriber tracking

• L3 encapsulation

CLASSIFICATION

• Protocol

• Protocol group

• Sub protocol

• Application

METADATA EXTRACTION

• Traffic statistics

• Users/Subscribers’ statistics

• QoS parameters

EXTRA FEATURES

• OS detection

• Client-Server identification

• Tethering detection

• Ads detection

• Custom defined protocol

• Fast Path

IPOQUE PACE = STATE OF THE ART DPI

• We use a variety of analysis techniques to reliably detect network protocols:

• Pattern matching

• Finite state machine

• Behavioral & heuristic analyses

• Lengths checks

• Frequency of packet sending/receiving

• Amount of connections opened by a single subscriber

• Encryption usage

PACE – HOW WE DO DPI

PRE-PROCESSING

• Key Benefits • Accuracy • Flexibility • High performance

PRE PROCESSING IMPROVES ACCURACY AND RATE OF CLASSIFICATION

• Defragmentation Engine

• Packet Re-ordering

• Connection subscriber tracking

• L3 encapsulation

CLASSIFICATION

Protocol

• Flash (Group Streaming)

• HTTP (Group Web)

Sub Protocol

• Media

Application

• YouTube (Group Streaming)

Pro

toco

l H

isto

ry

www.ipoque.com/sites/default/files/mediafiles/documents/data-sheet-supported-protocols.pdf

CLASSIFICATION

METADATA EXTRACTION

• Examples • User ID• IP address • Time and date of login/off • Host • User agent • Email- subject, body, sender,

receiver, attachment etc.• File transfer: sender, receiver,

login, attachment etc.

METADATA EXTRACTION

METADATA OUTPUT NORMALIZATIONApplications of same type produce the same Class Events:

- i.e. each webmail has a different look and feel and proprietary structure

- PADE Solution: normalize all required fields in a unified format

…

TIMESTAMP

SUBJECT

TO (CC/BCC)

FROM

METADATA EXAMPLE

EXTRA FEATURES

• Optimization features • Dynamic upgrades• SMP support• Fast path

EXTRA FEATURES

• Extra features • OS detection• Client-Server identification• Tethering detection • Advertising detection• Custom defined protocols

• Use application pre-filtering to recognize threats in adaptable flexible way

• Improve security intelligence to qualify and block an attack in real-time

• Gain efficiency by focusing only on real security threats

• Stay current with dynamic changes in protocols and applications

• Supports recognition of your custom-defined apps and protocols

• Granular customization of security policy rules

SECURITY BENEFITS IN USING DPI

Critical Infrastructure

Cyber Defense Solution

Off the Shelf Security ProductsAnti-Spam, anti-virus, anti-malware, firewall, DLK.

Cyber attacks

USING PACE AS A SECOND LINE OF DEFENSE

PACE DPI

HOW PACE ENSURES ACCURACY

Looking for parameters

a, b and c

Looking for parameters d, e, f, and g

Looking for parameters

x and y

80 % 97% 100%

PACE DETECTION RATE

71% Web Protocols22% Streaming Pro-tocols3% Unclassified Traf-fic1% VoIP Protocols1% P2P Protocols2% Other

All Network Elements: Protocol Groups

Over 95% detection rate

2,000+ Applications and Protocols recognised

Max. concurrent connections

Average packet size (Bytes)

Top 5 Protocols Gbps/core

418.720 569HTTP, FLASH,

BITTORRENT, MPEG, SKYPE

3,4

71.191 523 HTTP, SSL, RTP, FLASH, OPENVPN

5,6

Test Conditions:• Hardware: i3-2120 CPU @

3.30GHz • All application enabled• All features enabled

PACE PERFORMANCE TEST RESULTS

• Fast Performance

• High frequency of protocol and DPI engine updates

• High classification accuracy (no false positives)

• Low processor to memory consumption ratio

• Support for over 500 protocols

• Support for thousands of applications

PACE STRENGTHS AS A DPI SOLUTION

Ian BetteridgeIan.betteridge@ipoque.com

Phone +49 341 594030Fax +49 341 59403019

THANK YOU!