Abstract
Deep Packet Inspection (DPI) techniques are considered extremely expensive in terms of processing costs and therefore are usually deployed in edge networks, where the amount of data to be processed is limited. This paper demonstrates that, in case the application can tolerate some compromises in terms of accuracy (such as many measurement-based tasks) and in presence of normal traffic, the processing cost can be greatly reduced while even improving the classification precision, making DPI suitable also for high-speed networks.
Similar content being viewed by others
Notes
For instance, the ruleset of the November 2007 release of Snort includes 5,549 rules requiring application-level content inspection [15].
More details on the evaluation methodology will be provided in Sect. 4.
Although in case of real-time traffic analysis we should care about the worst case in order to be sure to sustain any incoming load, this may lead to overprovisioned system, since the probability that all the packets fall in the worst-case scenario is very small. We consider the average case a better representation of real-world network scenarios.
The additional category not anchored regexp not containing the Kleene closure is omitted since is equivalent to type (2), where the Kleene closure is at the beginning of the regular expression.
The “anchored” version was derived from the one used in the tstat tool: ^((http\/(0\.9|1\.0|1\.1)\ [1-5][0-9][0-9])|(connect|post|get|head|propfind|mSkcol |delete|put|copy|move|lock|unlock)\). The “anchored + Kleene” version was used in the earlier version of l7-filter : ^((http\/(0\.9|1\.0|1\.1)\ [1-5][0-9][0-9])|(connect|post|get|head|propfind|mSkcol |delete|put|copy|move|lock|unlock)\ [\x09-\x0d\ -∼]*(\ http\/[01]\.[019])). The “Not anchored + Kleene” was by far the most common one and was derived from the one present in the current version of l7-filter : (http\/(0\.9|1\.0|1\.1)\ [1-5][0-9][0-9])|(connect|post|get|head|propfind|mSkcol |delete|put|copy|move|lock|unlock)\ [\x09-\x0d\ -∼]*(\ http\/[01]\.[019]). The “Not anchored, no Kleene” case is omitted since it is equivalent to the second type. All these signatures were updated in order to take into account also the new methods defined in HTTP 1.1.
This value is due to the fact that some signatures match the message coming from the server, which is usually the second packet of the session.
References
Moore, D., Keys, K., Koga, R., Lagache, E., Claffy, K.C.: The coralreef software suite as a tool for system and network administrators. In: LISA ’01: Proceedings of the 15th USENIX Conference on System Administration, pp. 133–144. USENIX Association, Berkeley (2001)
Crotti, M., Dusi, M., Gringoli, F., Salgarelli, L.: Traffic classification through simple statistical fingerprinting. SIGCOMM Comput. Commun. Rev. 37(1):5–16 (2007)
Bonfiglio, D., Mellia, M., Meo, M., Rossi, D., Tofanelli, P.: Revealing skype traffic: when randomness plays with you. SIGCOMM Comput. Commun. Rev. 37(4):37–48 (2007)
Este, A., Gringoli, F., Salgarelli, L.: Support vector machines for TCP traffic classification. Elsevier Comput. Netw. 53:2476–2490 (2009)
Finamore, A., Mellia, M., Meo, M., Rossi, D.: Kiss: Stochastic packet inspection. In: TMA ’09: Proceedings of the First International Workshop on Traffic Monitoring and Analysis, pp. 117–125. Springer, Berlin (2009)
Erman, J., Mahanti, A., Arlitt, M., Williamson, C.: Identifying and discriminating between web and peer-to-peer traffic in the network core. In: WWW ’07: Proceedings of the 16th International Conference on World Wide Web, pp. 883–892. ACM, New York (2007)
Erman, J., Arlitt, M., Mahanti, A.: Traffic classification using clustering algorithms. In: MineNet ’06: Proceedings of the 2006 SIGCOMM Workshop on Mining Network Data, pp. 281–286. ACM, New York (2006)
Karagiannis, T., Papagiannaki, K., Faloutsos, M.: Blinc: multilevel traffic classification in the dark. In: SIGCOMM ’05: Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 229–240. ACM, New York (2005)
Zander, S., Nguyen, T.T.T., Armitage, G.J.: Self-learning ip traffic classification based on statistical flow characteristics. In: Proceedings of Passive and Active Measurements Workshop. Lecture Notes in Computer Science, vol. 3431, pp. 325–328. Springer, New York (2005)
Moore A.W., Zuev D.: Internet traffic classification using bayesian analysis techniques. In: SIGMETRICS ’05: Proceedings of the 2005 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, pp. 50–60. ACM, New York (2005)
Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A., Salamatian, K.: Traffic classification on the fly. SIGCOMM Comput. Commun. Rev. 36(2):23–26 (2006)
Bernaille, L., Teixeira, R., Salamatian, K.: Early application identification. In: CoNEXT ’06: Proceedings of the 2006 ACM CoNEXT Conference, pp. 1–12. ACM, New York (2006)
Cascarano, N., Este, A., Gringoli, F., Risso, F., Salgarelli, L.: An experimental evaluation of the computational cost of a DPI traffic classifier. In: Proceedings of IEEE Globecom 2009, Next-Generation Networking and Internet Symposium, pp. 1132–1139. IEEE, New York (2009)
Gringoli, F., Salgarelli, L., Dusi, M., Cascarano, N., Risso, F., Claffy, K.: Gt: picking up the truth from the ground for internet traffic. SIGCOMM Comput. Commun. Rev. 38:207–218 (2009)
Becchi, M., Franklin, M., Crowley, P.: A workload for evaluating deep packet inspection architectures. In: Proceedings of the 2008 IEEE International Symposium on Workload Characterization. IEEE, Seattle, September 2008
Smith, R., Estan, C., Jha, S., Kong, S.: Deflating the big bang: fast and scalable deep packet inspection with extended finite automata. SIGCOMM Comput. Commun. Rev. 38(4), 207–218 (2008)
Becchi, M., Crowley, P.: Extending finite automata to efficiently match perl-compatible regular expressions. In: Proceedings of the International Conference on emerging Networking EXperiments and Technologies (CoNEXT). ACM, Madrid (2008)
Becchi, M., Crowley, P.: An improved algorithm to accelerate regular expression evaluation. In: Proceedings of the 2007 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS). ACM, Orlando (2007)
Kumar, S., Dharmapurikar, S., Yu, F., Crowley, P., Turner, J.: Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: SIGCOMM 2006, pp. 339–350. ACM, New York (2006)
Vapnik, V.: Statistical Learning Theory. Wiley, New York (1998)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Networks 31(23-24), 2435–2463 (1999)
Roesch, M.: Snort—lightweight intrusion detection for networks. In: LISA ’99: Proceedings of the 13th USENIX conference on System administration, pp. 229–238. USENIX Association, Berkeley (1999)
Moore A.W., Papagiannaki, K.: Toward the accurate identification of network applications. In In PAM, pp. 41–54 (2005)
Risso, F., Baldi, M., Morandi, O., Baldini, A., Monclus, P.: Lightweight, payload-based traffic classification: An experimental evaluation. In: IEEE International Conference on, International Conference on Communications (ICC), pp. 5869–5875 (2008)
l7-filter: Application Layer Packet Classifier for Linux. http://filter.sourceforge.net/
Computer Networks Group: NetPDL Protocol Database: http://www.nbee.org/netpdl, Politecnico di Torino
Becchi, M.: Regular Expression Processor: http://regex.wustl.edu. Washington University, St. Louis, (2008)
Becchi, M., Wiseman, C., Crowley, P.: Evaluating regular expression matching engines on network and general purpose processors. In: Proceedings of the 2009 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS’09). ACM, New York (2009)
Acknowledgments
We would like to thank Luca Salgarelli and Francesco Gringoli at University of Brescia who gave us many suggestions in the earlier part of this work and who contributed to the evaluation of the results presented in this paper.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Cascarano, N., Ciminiera, L. & Risso, F. Optimizing Deep Packet Inspection for High-Speed Traffic Analysis. J Netw Syst Manage 19, 7–31 (2011). https://doi.org/10.1007/s10922-010-9181-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10922-010-9181-x