Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.

1. DEEP PACKET INSPECTION (DPI)
AS A SOLUTION TO MANAGING
SECURITY THREATS
Ian Betteridge
November 2013

2. THE SECURITY CHALLENGE
• More sophisticated and effective cyber attacks
mean traditional security solutions e.g.
firewall, IDS/IPS, UTM are struggling to cope.
• Need flexible and customized security policy
control for real pro-active cyberdefense, especially to meet the high security
needs of the government sector.

3. IPOQUE PACE = STATE OF THE ART DPI
PREPROCESSING
• Defragmentation
Engine
• Packet Re-ordering
• Connection
subscriber tracking
• L3 encapsulation
CLASSIFICATION
METADATA
EXTRACTION
EXTRA
FEATURES
• Protocol
• Traffic statistics
• OS detection
• Protocol group
• Users/Subscribers’
statistics
• Client-Server
identification
• QoS parameters
• Tethering detection
• Sub protocol
• Application
• Ads detection
• Custom defined
protocol
• Fast Path

4. PACE – HOW WE DO DPI
•
We use a variety of analysis techniques to reliably detect
network protocols:
•
Pattern matching
•
Finite state machine
•
Behavioral & heuristic analyses
•
Lengths checks
•
Frequency of packet sending/receiving
•
Amount of connections opened by a single subscriber
•
Encryption usage

5. PRE PROCESSING IMPROVES ACCURACY AND
RATE OF CLASSIFICATION
PREPROCESSING
• Defragmentation Engine
• Packet Re-ordering
• Connection subscriber
tracking
• L3 encapsulation
•
Key Benefits
•
•
Accuracy
Flexibility
• High performance

6. CLASSIFICATION
Protocol History
CLASSIFICATION
Protocol
• Flash (Group
Streaming)
• HTTP
(Group Web)
Sub Protocol
• Media
Application
• YouTube
(Group
Streaming)
www.ipoque.com/sites/default/files/mediafiles/
documents/data-sheet-supported-protocols.pdf

7. METADATA EXTRACTION
METADATA
EXTRACTION
•
Examples
•
•
•
•
•
•
•
User ID
IP address
Time and date of login/off
Host
User agent
Emailsubject, body, sender, receiver, attachm
ent etc.
File transfer:
sender, receiver, login, attachment etc.

8. METADATA OUTPUT NORMALIZATION
Applications of same type produce the same Class Events:
- i.e. each webmail has a different look and feel and proprietary structure
- PADE Solution: normalize all required fields in a unified format
FROM
TO (CC/BCC)
SUBJECT
TIMESTAMP
…

9. METADATA EXAMPLE

10. EXTRA FEATURES
EXTRA
FEATURES
•
Extra features
•
•
•
•
•
•
OS detection
Client-Server identification
Tethering detection
Advertising detection
Custom defined protocols
Optimization features
•
•
•
Dynamic upgrades
SMP support
Fast path

11. SECURITY BENEFITS IN USING DPI
•
Use application pre-filtering to recognize threats in
adaptable flexible way
•
Improve security intelligence to qualify and block an attack in
real-time
•
Gain efficiency by focusing only on real security threats
•
Stay current with dynamic changes in protocols and
applications
•
Supports recognition of your custom-defined apps
and protocols
•
Granular customization of security policy rules

12. USING PACE AS A SECOND LINE OF DEFENSE
PACE
DPI
Cyber
attacks
Off the Shelf
Security Products
Anti-Spam, anti-virus, antimalware, firewall, DLK.
Cyber
Defense
Solution
Critical
Infrastructure

13. HOW PACE ENSURES ACCURACY
Looking for
parameters a,
b and c
Looking for
parameters
d, e, f, and g
Looking for
parameters
x and y
80 %
97%
100%

14. PACE DETECTION RATE
All Network Elements: Protocol Groups
Over 95% detection
rate
71%
22%
Streaming Protocols
3%
Unclassified Traffic
1%
VoIP Protocols
1%
P2P Protocols
2%
2,000+ Applications and Protocols recognised
Web Protocols
Other

15. PACE PERFORMANCE TEST RESULTS
Max. concurrent
connections
Average packet
size (Bytes)
Top 5 Protocols
Gbps/core
418.720
569
HTTP, FLASH, BITTOR
RENT, MPEG, SKYPE
3,4
71.191
523
HTTP, SSL, RTP, FLAS
H, OPENVPN
5,6
Test Conditions:
•
•
•
Hardware: i3-2120 CPU @
3.30GHz
All application enabled
All features enabled

16. PACE STRENGTHS AS A DPI SOLUTION
•
Fast Performance
•
High frequency of protocol and
DPI engine updates
•
High classification accuracy
(no false positives)
•
Low processor to memory
consumption ratio
•
Support for over 500 protocols
•
Support for thousands of applications

17. THANK YOU!
Ian Betteridge
Ian.betteridge@ipoque.com
Phone +49 341 594030
Fax +49 341 59403019