Skip to main content
SpringerLink
Log in

Optimizing Deep Packet Inspection for High-Speed Traffic Analysis

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

Deep Packet Inspection (DPI) techniques are considered extremely expensive in terms of processing costs and therefore are usually deployed in edge networks, where the amount of data to be processed is limited. This paper demonstrates that, in case the application can tolerate some compromises in terms of accuracy (such as many measurement-based tasks) and in presence of normal traffic, the processing cost can be greatly reduced while even improving the classification precision, making DPI suitable also for high-speed networks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. For instance, the ruleset of the November 2007 release of Snort includes 5,549 rules requiring application-level content inspection [15].

  2. More details on the evaluation methodology will be provided in Sect. 4.

  3. Although in case of real-time traffic analysis we should care about the worst case in order to be sure to sustain any incoming load, this may lead to overprovisioned system, since the probability that all the packets fall in the worst-case scenario is very small. We consider the average case a better representation of real-world network scenarios.

  4. The additional category not anchored regexp not containing the Kleene closure is omitted since is equivalent to type (2), where the Kleene closure is at the beginning of the regular expression.

  5. The “anchored” version was derived from the one used in the tstat tool: ^((http\/(0\.9|1\.0|1\.1)\ [1-5][0-9][0-9])|(connect|post|get|head|propfind|mSkcol |delete|put|copy|move|lock|unlock)\). The “anchored + Kleene” version was used in the earlier version of l7-filter : ^((http\/(0\.9|1\.0|1\.1)\ [1-5][0-9][0-9])|(connect|post|get|head|propfind|mSkcol |delete|put|copy|move|lock|unlock)\ [\x09-\x0d\ -∼]*(\ http\/[01]\.[019])). The “Not anchored + Kleene” was by far the most common one and was derived from the one present in the current version of l7-filter : (http\/(0\.9|1\.0|1\.1)\ [1-5][0-9][0-9])|(connect|post|get|head|propfind|mSkcol |delete|put|copy|move|lock|unlock)\ [\x09-\x0d\ -∼]*(\ http\/[01]\.[019]). The “Not anchored, no Kleene” case is omitted since it is equivalent to the second type. All these signatures were updated in order to take into account also the new methods defined in HTTP 1.1.

  6. These numbers have been derived with the DFA algorithm described in [15], which is faster than the one used in [13].

  7. This value is due to the fact that some signatures match the message coming from the server, which is usually the second packet of the session.

References

  1. Moore, D., Keys, K., Koga, R., Lagache, E., Claffy, K.C.: The coralreef software suite as a tool for system and network administrators. In: LISA ’01: Proceedings of the 15th USENIX Conference on System Administration, pp. 133–144. USENIX Association, Berkeley (2001)

  2. Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L.: Traffic classification through simple statistical fingerprinting. SIGCOMM Comput. Commun. Rev. 37(1):5–16 (2007)

    Article  Google Scholar 

  3. Bonfiglio, D., Mellia, M., Meo, M., Rossi, D., Tofanelli, P.: Revealing skype traffic: when randomness plays with you. SIGCOMM Comput. Commun. Rev. 37(4):37–48 (2007)

    Article  Google Scholar 

  4. Este, A., Gringoli, F., Salgarelli, L.: Support vector machines for TCP traffic classification. Elsevier Comput. Netw. 53:2476–2490 (2009)

    Article  MATH  Google Scholar 

  5. Finamore, A., Mellia, M., Meo, M., Rossi, D.: Kiss: Stochastic packet inspection. In: TMA ’09: Proceedings of the First International Workshop on Traffic Monitoring and Analysis, pp. 117–125. Springer, Berlin (2009)

  6. Erman, J., Mahanti, A., Arlitt, M., Williamson, C.: Identifying and discriminating between web and peer-to-peer traffic in the network core. In: WWW ’07: Proceedings of the 16th International Conference on World Wide Web, pp. 883–892. ACM, New York (2007)

  7. Erman, J., Arlitt, M., Mahanti, A.: Traffic classification using clustering algorithms. In: MineNet ’06: Proceedings of the 2006 SIGCOMM Workshop on Mining Network Data, pp. 281–286. ACM, New York (2006)

  8. Karagiannis, T., Papagiannaki, K., Faloutsos, M.: Blinc: multilevel traffic classification in the dark. In: SIGCOMM ’05: Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 229–240. ACM, New York (2005)

  9. Zander, S., Nguyen, T.T.T., Armitage, G.J.: Self-learning ip traffic classification based on statistical flow characteristics. In: Proceedings of Passive and Active Measurements Workshop. Lecture Notes in Computer Science, vol. 3431, pp. 325–328. Springer, New York (2005)

  10. Moore A.W., Zuev D.: Internet traffic classification using bayesian analysis techniques. In: SIGMETRICS ’05: Proceedings of the 2005 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, pp. 50–60. ACM, New York (2005)

  11. Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A., Salamatian, K.: Traffic classification on the fly. SIGCOMM Comput. Commun. Rev. 36(2):23–26 (2006)

    Article  Google Scholar 

  12. Bernaille, L., Teixeira, R., Salamatian, K.: Early application identification. In: CoNEXT ’06: Proceedings of the 2006 ACM CoNEXT Conference, pp. 1–12. ACM, New York (2006)

  13. Cascarano, N., Este, A., Gringoli, F., Risso, F., Salgarelli, L.: An experimental evaluation of the computational cost of a DPI traffic classifier. In: Proceedings of IEEE Globecom 2009, Next-Generation Networking and Internet Symposium, pp. 1132–1139. IEEE, New York (2009)

  14. Gringoli, F., Salgarelli, L., Dusi, M., Cascarano, N., Risso, F., Claffy, K.: Gt: picking up the truth from the ground for internet traffic. SIGCOMM Comput. Commun. Rev. 38:207–218 (2009)

    Google Scholar 

  15. Becchi, M., Franklin, M., Crowley, P.: A workload for evaluating deep packet inspection architectures. In: Proceedings of the 2008 IEEE International Symposium on Workload Characterization. IEEE, Seattle, September 2008

  16. Smith, R., Estan, C., Jha, S., Kong, S.: Deflating the big bang: fast and scalable deep packet inspection with extended finite automata. SIGCOMM Comput. Commun. Rev. 38(4), 207–218 (2008)

    Article  Google Scholar 

  17. Becchi, M., Crowley, P.: Extending finite automata to efficiently match perl-compatible regular expressions. In: Proceedings of the International Conference on emerging Networking EXperiments and Technologies (CoNEXT). ACM, Madrid (2008)

  18. Becchi, M., Crowley, P.: An improved algorithm to accelerate regular expression evaluation. In: Proceedings of the 2007 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS). ACM, Orlando (2007)

  19. Kumar, S., Dharmapurikar, S., Yu, F., Crowley, P., Turner, J.: Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: SIGCOMM 2006, pp. 339–350. ACM, New York (2006)

  20. Vapnik, V.: Statistical Learning Theory. Wiley, New York (1998)

    MATH  Google Scholar 

  21. Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Networks 31(23-24), 2435–2463 (1999)

    Article  Google Scholar 

  22. Roesch, M.: Snort—lightweight intrusion detection for networks. In: LISA ’99: Proceedings of the 13th USENIX conference on System administration, pp. 229–238. USENIX Association, Berkeley (1999)

  23. Moore A.W., Papagiannaki, K.: Toward the accurate identification of network applications. In In PAM, pp. 41–54 (2005)

  24. Risso, F., Baldi, M., Morandi, O., Baldini, A., Monclus, P.: Lightweight, payload-based traffic classification: An experimental evaluation. In: IEEE International Conference on, International Conference on Communications (ICC), pp. 5869–5875 (2008)

  25. l7-filter: Application Layer Packet Classifier for Linux. http://filter.sourceforge.net/

  26. Computer Networks Group: NetPDL Protocol Database: http://www.nbee.org/netpdl, Politecnico di Torino

  27. Becchi, M.: Regular Expression Processor: http://regex.wustl.edu. Washington University, St. Louis, (2008)

  28. Becchi, M., Wiseman, C., Crowley, P.: Evaluating regular expression matching engines on network and general purpose processors. In: Proceedings of the 2009 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS’09). ACM, New York (2009)

Download references

Acknowledgments

We would like to thank Luca Salgarelli and Francesco Gringoli at University of Brescia who gave us many suggestions in the earlier part of this work and who contributed to the evaluation of the results presented in this paper.

Author information

Authors and Affiliations

  1. Politecnico di Torino, C.so Duca degli Abruzzi 24, 10129, Torino, Italy

    Niccolò Cascarano, Luigi Ciminiera & Fulvio Risso

Authors
  1. Niccolò Cascarano
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Luigi Ciminiera
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fulvio Risso
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fulvio Risso.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Cascarano, N., Ciminiera, L. & Risso, F. Optimizing Deep Packet Inspection for High-Speed Traffic Analysis. J Netw Syst Manage 19, 7–31 (2011). https://doi.org/10.1007/s10922-010-9181-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10922-010-9181-x

Keywords

Search

Navigation