Visible to the public Deep Packet Inspection 2014

SoS Newsletter- Advanced Book Block


SoS Logo

Deep Packet Inspection


Deep Packet Inspection offers providers a new range of use cases, some with the potential to eavesdrop on non-public communication. Current research is almost exclusively concerned with raising the capability on a technological level, but critics question it with regard to privacy, net neutrality, and other implications. These latter issues are not being raised within research communities so much as by politically interested groups. The research cited here was represented in 2014.

Najam, M.; Younis, U.; Rasool, R.U., “Multi-byte Pattern Matching Using Stride-K DFA for High Speed Deep Packet Inspection,” Computational Science and Engineering (CSE), 2014 IEEE 17th International Conference on, vol., no., pp. 547, 553, 19–21 Dec. 2014. doi:10.1109/CSE.2014.125
Abstract: Deep packet inspection (DPI) is one of the crucial tasks in modern intrusion detection and intrusion prevention systems. It allows the inspection of packet payload using patterns. Modern DPI based systems use regular expressions to define these patterns. Deterministic finite automata (DFA) is considered to be an ideal choice for performing regular expression matching due to its O(1) processing complexity. However, DFAs consume large memory to store its state transition table, but this problem gets worsened when stride level of the DFA is increased. Though, increasing stride level brings significant increase in the overall speedup of the matching engine but as a trade off it consumes large memory. In this paper, we present stride-k speculative parallel pattern matching (SPPM), a technique in which a packet is first split up into two chunks and then multiple bytes per chunk are inspected at a time using stride-k DFA. Furthermore, we present a stride-k DFA compression technique using alphabet compression table (ACT) to reduce the memory requirements of stride-k DFA. We have implemented the single threaded algorithm for stride-2 SPPM. Results show that the use of stride-2 SPPM can overall increase the pattern matching speed by up to 30% as compared to traditional DFA matching, and a significant reduction of over 70% in the number iterations required for packet processing. Secondly, over 65% reduction in the number of transitions has been achieved using ACT for stride-2 DFA implementation.
Keywords: computational complexity; deterministic automata; finite automata; pattern matching; security of data; ACT; alphabet compression table; deterministic finite automata; high speed deep packet inspection; intrusion detection system; intrusion prevention system; multibyte pattern matching; processing complexity; regular expression matching; stride-2 SPPM; stride-k DFA compression technique; stride-k speculative parallel pattern matching; Automata; Educational institutions; Indexes; Inspection; Memory management; Parallel processing; Pattern matching; DFA; alphabet compression; deep packet inspection; multi-byte matching; regular expressions (ID#: 15-6697)


Jayashree, S.; Shivashankarappa, N., “Deep Packet Inspection Using Ternary Content Addressable Memory,” Circuits, Communication, Control and Computing (I4C), 2014 International Conference on, vol., no., pp. 441, 447, 21–22 Nov. 2014. doi:10.1109/CIMCA.2014.7057841
Abstract: With the increasing internet service complexity, providing secured quality service has become a major concern. In the earlier systems, data was believed to be safer on internet without being intercepted. Now these internet vulnerabilities cannot be ignored as these weaknesses are used by many to carry out malicious activities. In order to tackle these problems, internet service providers are trying to find better options. One such technique gaining popularity in the recent decade is Deep Packet Inspection (DPI), which can be provided using software or hardware methods. It is reported that hardware is providing better solution than software. In this review article, we have introduced one such hardware, Ternary Content Addressable Memory (TCAM), which could perform complete packet inspection (packet header and payload inspection). In the first section, we have focused on evolution of packet filtering system. Later the discussion is divided into two parts: (i) packet classification using TCAM, and (ii) payload inspection (pattern matching and regular expression) using TCAM.
Keywords: content-addressable storage; inspection; pattern matching; TCAM; deep packet inspection; packet classification; packet filtering system; packet header; pattern matching; payload inspection; regular expression; ternary content addressable memory; Classification algorithms; Hardware; IP networks; Indexes; Inspection; Pattern matching; Payloads; DPI; Multi-Match Packet Classification; Pattern matching; Regular Expression; TCAM (ID#: 15-6698)


Shankar, S.S.; Lin PinXing; Herkersdorf, A., “Deep Packet Inspection in Residential Gateways and Routers: Issues and Challenges,” Integrated Circuits (ISIC), 2014 14th International Symposium on, vol., no., pp. 560, 563, 10-12 Dec. 2014. doi:10.1109/ISICIR.2014.7029481
Abstract: Several industry trends and new applications have brought the residential gateway router (RGR) to the center of digital home with direct connectivity to the service provider’s network. Increasing risks of network attacks have necessitated the need for deep packet inspection in network processor (NP) used by RGR to match traffic at multiple gigabit throughput. Traditional deep packet inspection (DPI) implementations primarily focus on end hosts like servers, personal / handheld computers. Existing DPI signature matching techniques cannot be directly implemented in RGR due to various issues and challenges pertaining to processing capacity of the NP and associated memory constraints. So 4 key factors, regular expression support, gigabit throughput, scalability and ease of signature updates has been proposed through which best signature matching system could be designed for efficient DPI implementation in RGR.
Keywords: computer network security; digital signatures; internetworking; telecommunication network routing; telecommunication traffic; DPI implementation; DPI signature matching techniques; NP processing capacity; RGR; deep-packet inspection; digital home; ease-of-signature update factor; gigabit throughput factor; memory constraints; network attack risks; network processor; network traffic; regular expression support factor; residential gateway router; scalability factor; service provider network; Algorithm design and analysis; Automata; Inspection; Memory management; Pattern matching; Software; Throughput; Deep Packet Inspection; Network Security; Regular Expressions; Residential Gateway and Router (ID#: 15-6699)


Parvat, T.J.; Chandra, P., “Performance Improvement of Deep Packet Inspection for Intrusion Detection,” Wireless Computing and Networking (GCWCN), 2014 IEEE Global Conference on, vol., no., pp. 224, 228, 22–24 Dec. 2014. doi:10.1109/GCWCN.2014.7030883
Abstract: The development in anomaly and misuse detection in this decade is crucial as web services grow vast. Managing secure network is a challenge today. The objectives vary according to the infrastructure management and security policy. There are various ways to check stateful packet inspection and Deep Packet inspection (DPI). Identify payload traffic using DPI, Network security, Privacy and QoS. The functions of DPI are protocol detection, anti-virus, anti-malware and Intrusion Detection System (IDS). The detection engine may support by a signatures or heuristics. Most of the algorithms do training and testing, it takes approximately double time. The paper suggests a new model to improve performance of Intrusion detection system by using in/out based attributes of records. It takes a comparative less time and good accuracy than the existing classifiers.
Keywords: computer network management; computer network performance evaluation; computer network security; computer viruses; data privacy; program testing; protocols; quality of service; DPI; IDS; QoS; Web services; anomaly detection; anti-malware; anti-virus; deep packet inspection; heuristics; in/out based attributes; infrastructure management; intrusion detection system; misuse detection; network privacy; network security; payload traffic; protocol detection; secure network management; security policy; Accuracy; Computational modeling; Hidden Markov models; Inspection; Intrusion detection; Training; Accuracy; Deep Packet Inspection; Intrusion Detection; Performance; Security (ID#: 15-6700)


Yunchun Li; Rong Fu, “An Parallelized Deep Packet Inspection Design in Software Defined Network,” Information Technology and Electronic Commerce (ICITEC), 2014 2nd International Conference on, vol., no., pp. 6, 10, 20-21 Dec. 2014. doi:10.1109/ICITEC.2014.7105560
Abstract: Deep packet inspection (DPI) is a key technology in software defined network (SDN) which can centralize network policy control and accelerate packet transmission. In this paper, we propose a new SDN architecture with DPI module. Base on the centralization idea of SDN, we deploying a parallel DPI to the control layer. We present DPI interface in the SDN controller and discuss OpenFlow protocol extension. Paralleling the DPI algorithm effectively reduces the time of detecting packets and sending flow tables. We also describe an Adaptive Highest Random Weight with an additional feedback corresponding to queue length and string length matching at each processor. The original Highest Random Weight (HRW) hash ensures the connection locality. Treating all tasks as the same weight just balances the workload over the number of different task. By adding the adjustment multiplier and combined with the characteristics of the fixed hash function, the system can allocate resource dynamically and achieve connection-level parallelism in consideration of the processing time for per packet.
Keywords: parallel processing; protocols; software defined networking; string matching; DPI module interface; HRW hash function; OpenFlow protocol extension; SDN architecture; adaptive highest random weight; centralize network policy control; connection-level parallelism; packet transmission acceleration; parallelized deep packet inspection design; queue length; resource allocation; software defined network; string length; Algorithm design and analysis; Computer architecture; Pattern matching; Servers; Software algorithms; Switches; Throughput; Adaptive Highest Random Weight; Deep Packet Inspection; SDN Controller; Software Defined Network (ID#: 15-6701)


Niang, B., “Bandwidth Management — A Deep Packet Inspection Mathematical Model,” Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT), 2014 6th International Congress on, vol., no., pp. 169, 175, 6–8 Oct. 2014. doi:10.1109/ICUMT.2014.7002098
Abstract: New technologies and services provided by Internet Service Providers (M2M, clouds, online-games, HD-video), lead to the constant growth of traffic per a single subscriber. This forces operators to increase network capacity even for processing traffic generated by existing subscribers. Under the circumstances of an overloaded radio network (common situation in large cities) subscribers often don’t obtain the bandwidth guaranteed by the contract. The Deep Packet Inspection helps operator to distinguish type of service in aggregate traffic and assign bitrate for each service separately. Our research works based on proposal of mathematical models of calculating the different flow characteristics and the number of tasks handling by a very speedy system dealing with Giga Ethernet. The Deep Packet Inspection is a software based engine; it allows analyzing the real-time traffic, enforcing rules and instruction received from other network component named Policy Controller and Rule Function. Therefore, the Software will deal with different kinds of traffic like Web based content, social networks traffic, Peer-to-Peer, Streaming, IPTV, Voice etc.
Keywords: Internet; bandwidth allocation; local area networks; radio networks; telecommunication traffic; Giga Ethernet; bandwidth management; bitrate assignment; deep packet inspection mathematical model; flow characteristic; internet service provider; mathematical model; network capacity; policy controller; radio network; real-time traffic; rule function; software based engine; task handling; traffic growth; Control systems; Hardware; Mathematical model; Protocols; Servers; Software; Telecommunications; Bandwidth; DPI; Mathematical models; Mobile Networks; Traffic (ID#: 15-6702)


Watson, B.W.; Blox, I., “Elastic Deep Packet Inspection,” Cyber Conflict (CyCon 2014), 2014 6th International Conference on, vol., no., pp. 241, 253, 3–6 June 2014. doi:10.1109/CYCON.2014.6916406
Abstract: Deep packet inspection (DPI) systems are required to perform at or near network line-rate speeds, matching thousands of rules against the network traffic. The engineering performance and price trade-offs are such that DPI is difficult to virtualize, either because of very high memory consumption or the use of custom hardware; similarly, a running DPI instance is difficult to ‘move’ cheaply to another part of the network. Algorithmic constraints make it costly to update the set of rules, even with minor edits. In this paper, we present Elastic DPI. Thanks to new algorithms and data-structures, all of these performance and flexibility constraints can be overcome — an important development in an increasingly virtualized network environment. The ability to incrementally update rule sets is also a potentially interesting use-case in next generation firewall appliances that rapidly update their rule sets.
Keywords: computer network security; data structures; inspection; telecommunication traffic; virtualisation; DPI systems; data structures; elastic DPI; elastic deep packet inspection; engineering performance; firewall appliances; flexibility constraints; network traffic; performance constraints; rule set updating; virtualized network environment; Engines; Hardware; Inspection; Memory management; Optimization; Sensors; Virtual machining; deep packet inspection (DPI); incremental defense; speed/memory performance (ID#: 15-6703)


Roth, C.; Schillinger, R., “Detectability of Deep Packet Inspection in Common Provider/Consumer Relations,” Database and Expert Systems Applications (DEXA), 2014 25th International Workshop on, vol., no., pp. 283, 287, 1–5 Sept. 2014. doi:10.1109/DEXA.2014.64
Abstract: Payload examination using Deep Packet Inspection (DPI) offers (infrastructure) providers a whole new range of use cases, many of them with a potential to eavesdrop on non-public communication. Current research is almost exclusively concerned with raising this capabilities on a technological level. Critical voices about DPI’s impact on the Internet with regard to privacy, net neutrality, and its other implications are raised, however often not within research communities but rather by politically interested groups. In fact, no definite method allowing detection of DPI is known. In this paper we present five different approaches targeting this problem. While starting points for DPI detection are given, including leakage of internal data or software errors, not all of of the presented approaches can be simulated or verified at all and none so far has been tested in real world settings.
Keywords: Internet; DPI detection; Internet; deep packet inspection; internal data; payload examination; provider-consumer relations; software errors; IP networks; Inspection; Internet; Payloads; Protocols; Security; Software (ID#: 15-6704)


Deri, L.; Martinelli, M.; Bujlow, T.; Cardigliano, A., “nDPI: Open-Source High-Speed Deep Packet Inspection,” Wireless Communications and Mobile Computing Conference (IWCMC), 2014 International, vol., no., pp. 617, 622, 4–8 Aug. 2014. doi:10.1109/IWCMC.2014.6906427
Abstract: Network traffic analysis was traditionally limited to packet header, because the transport protocol and application ports were usually sufficient to identify the application protocol. With the advent of port-independent, peer-to-peer, and encrypted protocols, the task of identifying application protocols became increasingly challenging, thus creating a motivation for creating tools and libraries for network protocol classification. This paper covers the design and implementation of nDPI, an open-source library for protocol classification using both packet header and payload. nDPI was extensively validated in various monitoring projects ranging from Linux kernel protocol classification, to analysis of 10 Gbit traffic, reporting both high protocol detection accuracy and efficiency.
Keywords: Linux; cryptographic protocols; operating system kernels; peer-to-peer computing; telecommunication traffic; transport protocols; Linux kernel protocol classification; application protocol identification; encrypted protocols; monitoring projects; nDPI; network protocol classification; network traffic analysis; open-source high-speed deep packet inspection; open-source library; packet header; payload; peer-to-peer protocols; port-independent protocols; protocol detection accuracy; protocol detection efficiency; transport protocol; IP networks; Libraries; Monitoring; Open source software; Payloads; Ports (Computers); Protocols; Deep Packet Inspection; Passive traffic classification; network traffic monitoring (ID#: 15-6705)


Luchaup, D.; De Carli, L.; Jha, S.; Bach, E., “Deep Packet Inspection with DFA-Trees and Parametrized Language Overapproximation,” INFOCOM, 2014 Proceedings IEEE, vol., no., pp. 531, 539, April 27 2014–May 2 2014. doi:10.1109/INFOCOM.2014.6847977
Abstract: IPSs determine whether incoming traffic matches a database of vulnerability signatures defined as regular expressions. DFA representations are popular, but suffer from the state-explosion problem. We introduce a new matching structure: a tree of DFAs where the DFA associated with a node over-approximates those at its children, and the DFAs at the leaves represent the signature set. Matching works top-down, starting at the root of the tree and stopping at the first node whose DFA does not match. In the common case (benign traffic) matching does not reach the leaves. DFA-trees are built using Compact Overapproximate DFAs (CODFAs). A CODFA D’ for D over-approximates the language accepted by D, has a smaller number of states than D, and has a low false-match rate. Although built from approximate DFAs, DFA-trees perform exact matching faster than a commonly used method, have a low memory overhead and a guaranteed good worst case performance.
Keywords: computational complexity; deterministic automata; digital signatures; finite automata; formal languages; pattern matching; tree data structures; CODFAs; DFA-trees; IPSs; NP-hard problem; benign traffic matching; compact overapproximate DFAs; deep packet inspection; deterministic finite automata; intrusion prevention system; low false-match rate; low memory overhead; matching structure; parametrized language overapproximation; regular expressions; state-explosion problem; vulnerability signatures; Approximation error; Automata; Computers; Conferences; DH-HEMTs; Payloads; Training (ID#: 15-6706)


Melo, W.; Lopes, P.; Antonello, R.; Fernandes, S.; Sadok, D., “On the Performance of DPI Signature Matching with Dynamic Priority,” Computers and Communication (ISCC), 2014 IEEE Symposium on, vol., no., pp. 1, 6, 23–26 June 2014. doi:10.1109/ISCC.2014.6912553
Abstract: Traffic classification and identification plays an important role for several activities in network traffic management, where DPI (Deep Packet Inspection) is one of the most accurate and used techniques. However, inspection of packet payload is highly computing intensive. Several research studies have evaluated different components of DPI systems for application detection, in order to increase the classification speed. Nonetheless, the arrangement of the signatures in the signature set is an open issue and can degrade performance. Depending on the order of signatures, the overall performance of the DPI system can be degraded, leading to loss of packets and incorrect traffic identification. To the best of our knowledge, no previous research has analyzed the impact of the order of the application signatures and how it could be modified to improve the identification speed in a given DPI. In this work, we evaluate the impact of the ordering of signatures in a list and propose a method to dynamically adapt the signature list according to the traffic dynamics. We show the effectiveness of our approach with the most reactive proposed setup, saving more than 50% of processing time. We demonstrate the importance of the order of signatures and propose an effective method that can be used to save processing time. Finally, our method can be combined with other state-of-the-art techniques to achieve an optimal utilization of DPI features.
Keywords: computer network performance evaluation; computer network security; digital signatures; telecommunication traffic; DPI signature matching performance; DPI system components; application detection; deep-packet inspection; dynamic priority; identification speed improvement; incorrect-traffic identification problem; network traffic management; optimal DPI feature utilization; overall performance degradation; packet loss; packet payload inspection; processing time; signature arrangement; signature order; signature set; traffic classification speed; traffic dynamics; traffic identification speed; Automata; Engines; Graphics processing units; Inspection; Payloads; Radiation detectors; Telecommunication traffic; Deep Packet Inspection; Dynamic Priority; Performance Evaluation; Signatures List (ID#: 15-6707)


Yunchun Li; Jingxuan Li, “Multiclassifier: A Combination of DPI and ML for Application-Layer Classification in SDN,” Systems and Informatics (ICSAI), 2014 2nd International Conference on, vol., no., pp. 682, 686, 15–17 Nov. 2014. doi:10.1109/ICSAI.2014.7009372
Abstract: In traditional campus network, application-layer classification is often achieved by using specific devices that support application-layer classification. Since different vendors have different realizations, even the same flow may have different results with different devices. Thus it’s hard to set a global consistent application-layer management policy for the whole network. The idea of separating the control plane and the data plane comes up with Software Defined Network have opened a gate for solving this problem. In the SDN paradigm, the control plane have a global view over the whole network, thus it can do application-layer classification and set policies globally. In this paper, we identify problems with the current application-layer classification in campus network and analyze the advantage of doing application-layer classification with SDN. And based on SDN, we show a new approach to do application-layer classification combining different classifiers: Deep Packet Inspection and Machine Learning based Packet Classification. Our experiments show that with this approach, we can archive a high classification speed while maintain an acceptable accuracy rate.
Keywords: learning (artificial intelligence); pattern classification; software defined networking; DPI; ML; MultiClassifier; SDN; application-layer classification; campus network; deep packet inspection; machine learning; packet classification; Accuracy; Classification algorithms; Computer architecture; Protocols; Reliability; Software defined networking; Throughput; Application-layer classification; Deep Packet Inspection; Machine Learning; Software Defined Network (ID#: 15-6708)


Zoican, S.; Vochin, M., “On Implementing Packet Inspection Using CUDA Enabled Graphical Processing Units,” Communications (COMM), 2014 10th International Conference on, vol., no., pp. 1, 6, 29–31 May 2014. doi:10.1109/ICComm.2014.6866661
Abstract: This work has the goal to study how an efficient deep packet inspection (DPI) algorithm may be implemented using the graphical processing unit (GPU) CUDA (Computer Unified Device Architecture) enabled boards existing in personal computers, and to analyze implementation efficiency. The following tasks have been analyzed: the parallelization of the pattern matching algorithm and the optimization of C code written for Nvidia compiler to obtain the best performance. The conclusion shows that CUDA technology represents a very attractive solution to implement DPI algorithms without the typically memory and complexity constraints.
Keywords: computer networks; graphics processing units; parallel algorithms; parallel architectures; pattern matching; C code optimization; CUDA enabled graphical processing units; Nvidia compiler; computer unified device architecture; deep packet inspection algorithm; pattern matching algorithm parallelization; Algorithm design and analysis; Computer architecture; Graphics processing units; Inspection; Instruction sets; Kernel; Registers; CUDA technology; deep packet inspection; deterministic finite automaton; pattern search; significant character (ID#: 15-6709)


Yamaguchi, F.; Nishi, H., “High-Throughput and Low-Cost Hardware Accelerator for Privacy Preserving Publishing,” Field-Programmable Custom Computing Machines (FCCM), 2014 IEEE 22nd Annual International Symposium on, vol., no., pp. 242, 242, 11-13 May 2014. doi:10.1109/FCCM.2014.77
Abstract: Deep Packet Inspection (DPI) has become crucial for providing rich internet services, such as intrusion and phishing protection, but the use of DPI raises concerns for protecting the privacy of internet users. In this paper, a RAM-based hardware anonymizer is proposed for implementation on a Virtex-5 FPGA device. The results of the hardware anonymizer showed that the proposed architecture reduced circuit usage by 40%.
Keywords: Internet; computer crime; data privacy; electronic publishing; field programmable gate arrays; random-access storage; Internet services; RAM-based hardware anonymizer; Virtex-5 FPGA device; circuit usage; hardware anonymizer; high-throughput low-cost hardware accelerator; intrusion protection; phishing protection; privacy preserving publishing; Data privacy; Field programmable gate arrays; Hardware; Internet; Privacy; Random access memory; Table lookup; Anonymization; Deep Packet Inspection; FPGA (ID#: 15-6710)


Salcedo Parra, O.J.; Basto Maldonado, E.J.; Reyes Daza, B.S., “Legal Assessment of DPI in Telecommunication Networks in Colombia,” Information Society (i-Society), 2014 International Conference on, vol., no., pp. 228, 233, 10–12 Nov. 2014. doi:10.1109/i-Society.2014.7009048
Abstract: Deep Packet Inspection technology has generated such recent debates and expectations for its operation. If we take as a basis the operators and ISPs interfering network service platforms and equipment capable of analyzing all traffic to Internet subscribers, this fact has led to all kinds of disputes such as who or what agency regulates that interfered and analyzed data are not made public, maintain its integrity and are not marketed in any way, respecting the privacy of users. This article provides an assessment of the legal proceedings and legal framework whose scope is the protection of data and information, with the use of deep packet inspection or DPI, by operators and service providers in Colombia. Subsequent analyzes the composition of the Internet and the responsible authorities of regulating the services offered in the network. Finally a number of suggestions and recommendations to the actors that directly affect the deep packet inspection will be concluded by referencing real cases, laws and models governing other countries.
Keywords: Internet; data privacy; law; telecommunication services; telecommunication traffic; Colombia; DPI; ISP; Internet service provider; Internet subscribers; deep packet inspection technology; legal assessment; network service; telecommunication networks; Government; Inspection; Internet; Law; Privacy; Security; DPI; Firewall; Habeas Data; ISP; Petabyte; TIC (ID#: 15-6711)


Lara, A.; Ramamurthy, B., “OpenSec: A Framework for Implementing Security Policies Using OpenFlow,” Global Communications Conference (GLOBECOM), 2014 IEEE, vol., no., pp. 781, 786, 8–12 Dec. 2014. doi:10.1109/GLOCOM.2014.7036903
Abstract: As the popularity of software defined networks (SDN) and OpenFlow increases, policy-driven network management has received more attention. Manual configuration of multiple devices is being replaced by an automated approach where a software-based, network-aware controller handles the configuration of all network devices. Software applications running on top of the network controller provide an abstraction of the topology and facilitate the task of operating the network. We propose OpenSec, an OpenFlow-based security framework that allows a network security operator to create and implement security policies written in human-readable language. Using OpenSec, the user can describe a flow in terms of OpenFlow matching fields, define which security services must be applied to that flow (deep packet inspection, intrusion detection, spam detection, etc) and specify security levels that define how OpenSec reacts if malicious traffic is detected. We implement OpenSec in the GENI testbed to evaluate the flexibility, accuracy and scalability of the framework. The experimental setup includes deep packet inspection, intrusion detection and network quarantining to secure a web server from network scanners. We achieve a constant delay when reacting to security alerts and a detection rate of 98%.
Keywords: Internet; computer network management; computer network security; software defined networking; telecommunication network topology; telecommunication traffic; GENI testbed; OpenFlow matching fields; OpenFlow-based security framework; OpenSec; Web server; deep packet inspection; human-readable language; intrusion detection; malicious traffic; network quarantining; network scanners; network security; network-aware controller; policy-driven network management; security policies; software applications; software defined networks; software-based controller; Communication networks; Inspection; Ports (Computers); Process control; Security; Switches; Network Security; OpenFlow; Software Defined Networking (ID#: 15-6712)


Rathod, P.M.; Marathe, N.; Vidhate, A.V., “A Survey on Finite Automata Based Pattern Matching Techniques for Network Intrusion Detection System (NIDS),” Advances in Electronics, Computers and Communications (ICAECC), 2014 International Conference on, vol., no., pp. 1, 5, 10–11 Oct. 2014. doi:10.1109/ICAECC.2014.7002456
Abstract: Many network security applications such as Intrusion Detection System (IDS), Firewall and data loss prevention system (dlps) are based on deep packet inspection, in this packets header as well as payload of the packets are checked with predefined attack signature to identify whether it contains malicious traffic or not. To perform this checking different pattern matching methods are used by NIDS. The most popular method to implement pattern matching is to use of Finite Automata (FA). Generally, regular expressions are used to represent most of the attack signatures defined by NIDS. They are implemented using finite automata, which takes the payload of packet as input string. However, existing approaches of Finite Automata (FA), both deterministic finite automata (DFA) and non-deterministic finite automata (NFA) for pattern matching are having their own advantages and some drawbacks. The DFA based pattern matching methods are fast enough but require more memory. However, NFA based pattern matching methods are comparatively takes less memory but the speed of matching is very slow, to overcome these drawbacks of finite automata there are many approaches have been proposed. This paper discuses comparative study of some Finite Automata (FA) based techniques for pattern matching in network intrusion detection system (NIDS).
Keywords: computer network security; finite automata; pattern matching; telecommunication traffic; DLPS; FA; NIDS; attack signatures; data loss prevention system; deep packet inspection; finite automata based pattern matching techniques; firewall; malicious traffic; network intrusion detection system; network security applications; packets header; packets payload; regular expression matching; Application specific integrated circuits; Automata; Field programmable gate arrays; Intrusion detection; Memory management; Merging; Pattern matching; Finite Automata; NIDS and DLPS; Regular Expression Matching (ID#: 15-6713)


Yuzhi Wang; Ping Ji; Borui Ye; Pengjun Wang; Rong Luo; Huazhong Yang, “GoHop: Personal VPN to Defend from Censorship,” Advanced Communication Technology (ICACT), 2014 16th International Conference on, vol., no., pp. 27, 33, 16–19 Feb. 2014. doi:10.1109/ICACT.2014.6778916
Abstract: Internet censorship threatens people’s online privacy, and in recent years, new technologies such as high-speed Deep Packet Inspection (DPI) and statistical traffic analysis methods had been applied in country scale censorship and surveillance projects. Traditional encryption protocols cannot hide statistical flow properties and new censoring systems can easily detect and block them “in the dark”. Recent work showed that traffic morphing and protocol obfuscation are effective ways to defend from statistical traffic analysis. In this paper, we proposed a novel traffic obfuscation protocol, where client and server communicate on random port. We implemented our idea as an open-source VPN tool named GoHop, and developed several obfuscation method including pre-shared key encryption, traffic shaping and random port communication. Experiments has shown that GoHop can successfully bypass internet censoring systems, and can provide high-bandwidth network throughput.
Keywords: Internet; cryptographic protocols; data protection; public domain software; statistical analysis; telecommunication traffic; transport protocols; DPI; GoHop; TCP protocol; bypass Internet censoring systems; country scale censorship; encryption protocols; high-bandwidth network throughput; high-speed deep packet inspection; open-source VPN tool; people online privacy; personal VPN; pre-shared key encryption; privacy protection; random port communication; statistical flow property; statistical traffic analysis methods; surveillance projects; traffic morphing; traffic obfuscation protocol method; traffic shaping; Cryptography; Internet; Ports (Computers); Protocols; Servers; Throughput; Virtual private networks; VPN; censorship circumvention; privacy protection; protocol obfuscation; random port; traffic morphing (ID#: 15-6714)


An Yang; Liang Zhang, “MP-DPI: A Network Processing Platform Based on the Many-Core Processor,” Communication Problem-Solving (ICCP), 2014 IEEE International Conference on, vol., no., pp. 435, 438, 5–7 Dec. 2014. doi:10.1109/ICCPS.2014.7062315
Abstract: Deep packet inspection or DPI is now a fast growing application technology in the field of network security, which requires the network security platform has a higher speed to handle a large number of session connections, and track the status of these connections quickly. This paper proposed the MP-DPI, a many-core based network processing platform, which uses the ATCA standard modular design, makes use of the integrated many-core network process accelerate engine, and integrates a popular open source DPI system named SNORT. The experiment result shows that in the same power consumption, the throughput of MP-DPI platform is three times as large as traditional X86 servers.
Keywords: computer network security; multiprocessing systems; ATCA standard modular design; MP-DPI network processing platform; SNORT system; deep packet inspection; many-core network process accelerate engine; many-core processor; multiprocessing system; network security; open source DPI system; session connection; Blades; Hardware; Power demand; Servers; Switches; Throughput; Uniform resource locators (ID#: 15-6715)


Takano, Y.; Ohta, S.; Takahashi, T.; Ando, R.; Inoue, T., “Mindyourprivacy: Design and Implementation of a Visualization System for Third-Party Web Tracking,” Privacy, Security and Trust (PST), 2014 Twelfth Annual International Conference on, vol., no., pp. 48, 56, 23–24 July 2014. doi:10.1109/PST.2014.6890923
Abstract: Third-party Web tracking is a serious privacy issue. Advertisement sites and social networking sites stealthily collect users' Web browsing history for purposes such as targeted advertising or predicting trends. Unfortunately, very few Internet users realize this, and their privacy has been infringed upon because they have no means of recognizing the situation. In this paper we present the design and implementation of a system called MindYourPrivacy that visualizes third-party Web tracking and clarifies the entities threatening users' privacy. The implementation adopts deep packet inspection, DNS-SOA-record-based categorization, and HTTP-referred graphical analysis to visualize collectors of Web browsing histories without device dependency. To demonstrate the effectiveness of our proof-of-concept implementation, we conducted an experiment in an IT technology camp, where 129 attendees discussed IT technologies for four days, The experiment's results revealed that visualizing Web tracking effectively influences users' perception of privacy. Analysis of the user data we collected at the camp also revealed that MCODE clustering and some features derived from graph theory are useful for detecting advertising sites that potentially collect user information by Web tracking for their own purposes.
Keywords: Internet; advertising; data privacy; data visualisation; graph theory; pattern clustering; service-oriented architecture; social networking (online); DNS-SOA-record-based categorization; HTTP-referred graphical analysis; IT technology camp; Internet users; MCODE clustering; MindYourPrivacy; Web browsing history; advertisement sites; device dependency; packet inspection; proof-of-concept implementation; social networking sites; third-party Web tracking; user data analysis; user privacy; visualization system; Browsers; Databases; HTML; History; Privacy; Target tracking; Data and Knowledge Visualization; Network Monitoring; Security; Web Mining (ID#: 15-6716)


He, Gaofeng; Zhang, Tao; Ma, Yuanyuan; Xu, Bingfeng, “A Novel Method to Detect Encrypted Data Exfiltration,” Advanced Cloud and Big Data (CBD), 2014 Second International Conference on, vol., no., pp. 240, 246, 20–22 Nov. 2014. doi:10.1109/CBD.2014.40
Abstract: Cloud computing’s distributed architecture helps ensure service resilience and robustness. Meanwhile, the big data stored in the cloud are valuable and sensitive and they are becoming attractive targets of attackers. In real life, attackers can carry out attacks such as Advanced Persistent Threat (APT) to invade cloud infrastructure and steal cloud users’ confidential data through encrypted transmission. Unfortunately, the most commonly used methods, e.g., Deep Packet Inspection (DPI), cannot detect encrypted data leakage efficiently. In this paper, we propose a novel method to detect encrypted data exfiltration for cloud. Generally speaking, the proposed method is composed of two steps. First, cloud providers analyze all outgoing network traffic and find out encrypted traffic. Second, cloud providers determine whether the encrypted traffic is launched by cloud users expectedly. If not, the encrypted traffic will be considered as data exfiltration. Specially, in the first step, DPI and entropy technology are used together to find out encrypted traffic efficiently and in the second step, we determine whether the encryption is expected or not through building cloud users’ network behavior profile. We have carried out extensive experiments in real-world network environment and the experimental results validate the feasibility and effectiveness of our method.
Keywords: Encryption; Entropy; Estimation; Feature extraction; IP networks; Protocols; cloud; data exfiltration; network behavior profile; sample entropy; security (ID#: 15-6717)


Udechukwu, R.; Dutta, R., “Extending Openflow for Service Insertion and Payload Inspection,” Network Protocols (ICNP), 2014 IEEE 22nd International Conference on, vol., no., pp. 589, 595, 21–24 Oct. 2014. doi:10.1109/ICNP.2014.94
Abstract: Software Defined Networking (SDN) offers traffic characterization and resource allocation policies to change dynamically, while avoiding the obsolescence of specialized forwarding equipment. Open Flow, a SDN standard, is currently the only standard that explicitly focuses on multi-vendor openness. Unfortunately, it only provides for traffic engineering on an integrated basis for L2–L4. The obvious approaches to expand Open Flow's reach to L7, would be to enhance the data path flow table, or to utilize the controller for deep packet inspection, both introduces significant scalability barriers. We propose and prototype an enhancement to Open Flow based on the idea of an External Processing Box (EPB) optionally attached to forwarding engines, however, we use existing protocol extension constructs to control the EPB as an integrated part of the Open Flow data path. This provides network operators with the ability to use L7-based policies to control service insertion and traffic steering, without breaking the open paradigm. This novel yet eminently practical augmentation of Open Flow provides added value critical for realistic networking practice. Retention of multi-vendor openness for such an approach has not been previously reported in literature to the best of our knowledge. We report numerical results from our prototype, characterizing the performance and practicality of this prototype by implementing a video reconditioning application on this platform.
Keywords: protocols; resource allocation; software defined networking; telecommunication traffic; L7-based policies; Open Flow data path; SDN standard; data path flow table; deep packet inspection; external processing box; forwarding engines; forwarding equipment; multivendor openness; network operators; open paradigm; payload inspection; protocol extension; resource allocation policies; scalability barriers; service insertion; software defined networking; traffic characterization; traffic engineering; traffic steering; video reconditioning application; Delays; Engines; Hardware; Process control; Prototypes; Streaming media; Video recording (ID#: 15-6718)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.