Deep Packet Inspection (DPI) is a term widely used in the cyber security area, but which has two different meanings depending on the context where the DPI is used, whether in the content inspection function or in the network analysis function.
Because I see a lot of confusion in the market between the two functions, I thought it would be useful to bring some clarification.
Deep Packet Inspection is a technology used to inspect packets circulating over the network by not only looking at the headers, but also in the packet payload. This being said, you can look in the packet payload to find different nature of information.
1) Content inspection: in this context DPI is used to look for virus or malware signatures that could be embedded in flows (packets, email or documents received by a user). The DPI will look for specific patterns and match it against a list of known malicious patterns. This is done using pattern matching algorithms and regular expression functions.
2) Network Analysis: in this context DPI is used to identify protocol and applications used on a network. This requires pattern matching, but also more complex protocol grammar analysis and statistical analysis. The advanced form of DPI will also extract metadata from flows, like sender an receiver of an email.
So we see that DPI is used to fulfill 2 different functions. They are complementary functions, and there is no sense comparing the features and performance of a Content Inspection engine and a Network Analysis engine even if they both use Deep Packet Inspection.
An advanced cyber security product design should embed both: Network Analysis to enable application aware firewall and normalized content extraction; content inspection to seach for virus signature in a given content normalized by Network Analysis.
The chart below shows the difference between the 2 categories of DPI implementation.
Content inspection | Network Analysis | |
Method | DPI: Inspect the Content of the packets/flows and not only the headers | |
Objective / features | Detect 100k’s of virus/file signatures inside documents | Recognize & analyze protocols and Applications Fully decode a protocol to export metadata |
How it works | Lexer: Detect patterns / regular expressions | Parser: Multiple algorithms used such as pattern matching, flow correlation, behavior analysis |
Implementation | Can be software (PCRE, Sensory Networks) or hardware (Tarari, Netlogic NetL7) | Software only (e.g. Qosmos ixEngine) |
Found in | IDS/IPS/AV | Next generation Firewall, NBAD, Forensics |