Friday, September 16, 2011

Deep Packet Inspection: don’t mix-up content inspection and network analysis


Deep Packet Inspection (DPI) is a term widely used in the cyber security area, but which has two different meanings depending on the context where the DPI is used, whether in the content inspection function or in the network analysis function.
Because I see a lot of confusion in the market between the two functions, I thought it would be useful to bring some clarification.

Deep Packet Inspection is a technology used to inspect packets circulating over the network by not only looking at the headers, but also in the packet payload. This being said, you can look in the packet payload to find different nature of information.

1)    Content inspection: in this context DPI is used to look for virus or malware signatures that could be embedded in flows (packets, email or documents received by a user). The DPI will look for specific patterns and match it against a list of known malicious patterns. This is done using pattern matching algorithms and regular expression functions.
2)    Network Analysis: in this context DPI is used to identify protocol and applications used on a network. This requires pattern matching, but also more complex protocol grammar analysis and statistical analysis. The advanced form of DPI will also extract metadata from flows, like sender an receiver of an email.

So we see that DPI is used to fulfill 2 different functions. They are complementary functions, and there is no sense comparing the features and performance of a Content Inspection engine and a Network Analysis engine even if they both use Deep Packet Inspection.
An advanced cyber security product design should embed both: Network Analysis to enable application aware firewall and normalized content extraction; content inspection to seach for virus signature in a given content normalized by Network Analysis.

The chart below shows the difference between the 2 categories of DPI implementation.
 

Content inspection
Network Analysis
Method
DPI: Inspect the Content of the packets/flows and not only the headers
Objective / features
Detect 100k’s of virus/file signatures inside documents
Recognize & analyze protocols and Applications
Fully decode a protocol to export metadata
How it works
Lexer: Detect patterns / regular expressions
Parser: Multiple algorithms used such as pattern matching, flow correlation, behavior analysis
Implementation
Can be software (PCRE, Sensory Networks) or hardware (Tarari, Netlogic NetL7)
Software only  (e.g. Qosmos ixEngine)
Found in
IDS/IPS/AV
Next generation Firewall, NBAD, Forensics

 
© 2009 Network Intelligence Technology. All Rights Reserved | Powered by Blogger
Design by psdvibe | Bloggerized By LawnyDesignz