Winning the game of truth with network traffic classification accuracy powered by DPI

Christine Lorenz portrait

By Christine Lorenz
Published on: 29.08.2022

Vector packet processing (VPP) has introduced significant enhancements to packet processing, specifically across workloads hosted on the cloud. R&S®vPACE, the latest DPI engine by ipoque, is optimized for VPP. Building on the success of its scalar packet processing engine R&S®PACE 2, R&S®vPACE offers identification and classification of network traffic for demanding environments with a significantly enhanced clocks-per-packet ratio, enabling linear scalability and the fastest real-time processing capability in the market. Combined, R&S®vPACE and R&S®PACE 2 form a DPI suite that can be used in VPP and traditional host OS processing respectively, enabling virtualized and cloud-native architectures to be powered by deep network intelligence regardless of their underlying packet processing technology.

Eliminating false positives

Speed, however, is not the only parameter that determines the performance and efficiency of a DPI software. Accuracy, i.e. the precision by which a DPI software identifies protocols, applications or service types, is fundamental to a number of key network functionalities and applications. Both R&S®PACE 2 and R&S®vPACE boast a classification accuracy of 100% with virtually no false positives, and a time to resolution that goes down to nanoseconds. This accuracy is augmented by a comprehensive signature library that is updated weekly, reflecting the latest protocols and applications. The classification of protocols enables network administrators to understand the type of data that is being transmitted across their network. Examples include standard protocols such as HTTP, FTP and SMTP and proprietary protocols such as Skype’s Skype protocol, the Venturi Transport Protocol and WhatsApp’s chat. Applications, on the other hand, range from enterprise proprietary applications hosted on premises to Cloud and SaaS applications hosted and managed on third-party platforms. Examples are Salesforce, Dropbox, Microsoft 365, YouTube, Facebook and Whatsapp. Accurate identification of application packets would reveal not only the application but also the service types that are being communicated, which can include text, video or audio messages.

Where precision really matters

In network slicing, the instantiation of a virtual network slice relies on the real-time classification of incoming packets. On 5G mobile networks, for example, traffic from URLLC-type applications such as remote surgery, intelligent transport systems or smart grid applications, requires packets to be routed to edge computing nodes instead of being backhauled to the network core. Any delay in identifying these packets will result in a significant degradation across applications requiring consistent low-to-zero latencies. Private networks such as SD-WAN and VPN and gateways such as SASE which manage network access and privileges rely on DPI classification accuracy for implementing security policies such as ZTNA. Application-specific access and other granular authentication rules can only be implemented if network traffic can be resolved in terms of users and applications in real time. Highly accurate and reliable network traffic classification in real-time thus secures the insides of the network parameter while maintaining user experience for all legitimate users.

High classification accuracy is also critical in fingerprinting malicious traffic. Accurate classification of the Domain Name Server (DNS) protocol helps in identifying DNS amplification, DNS hijacking or DNS tunneling attacks. Reliable classification enables security solutions such as next-generation firewalls, unified threat management systems and IPS/IDS solutions to zoom into attack pathways and sources swiftly and arrest fresh attacks. While it is not the most critical objective, accurate traffic classification paves the way for better network management and a better customer experience. Application and protocol classification, when available in real time, allows for the creation of content and SLA-based tiered plans and enables application-aware routing and forwarding on fixed and mobile networks. This optimizes the use of expensive routes and computing-intensive network functions such as load balancers and tethering. Lastly, accurate classification, when combined with traffic attributes such as speeds, bandwidth and latencies, leads to a more truthful representation of network events, which can be used to optimize the existing network architecture.

More precision, higher DPI efficiency

Accuracy of network traffic classification also drives the efficiency of DPI as a monitoring tool, as it eliminates the need for multiple network detection and response solutions, which can introduce more latency into the network. Combined with a low memory footprint of 400 bytes per flow, the classification accuracy of the ipoque DPI engines empowers network managers deploy a truly cost-optimized, highly efficient solution for application awareness and network visibility. High classification accuracy is particularly important in DPI implementations that involve sampling where only a portion of the traffic is sent to a DPI node. For complete traffic analytics covering information such as the bandwidth used, latency, jitter and round-trip time, network operators can rely on inherent accuracy rates provided by DPI and couple the classification information rendered by DPI with wider traffic analytics readily available from other network components, such as software-defined networking (SDN)-controller which receives full traffic information from its switches. This enables accurate traffic profiling and analysis across all flows, despite the use of sampling.

Automation begins with accuracy

As networks move towards automation, AI-based techniques such as machine learning (ML) and deep learning (DL) are employed by new architectures such as SDN to invoke and control network functions autonomously. This automation, however, hinges on both real-time traffic inputs as well as past data on protocols, applications and service types. The more accurate past classification data is, the more meaningful the algorithms and features defined in the AI systems will be. This leads to improved network responses and a higher predictive capability across networks. Likewise, the use of ML and DL and other AI techniques such as high-dimensional data analysis for classifying encrypted traffic can only turn up accurate results if non-encrypted data feeds used in its analysis have been classified accurately.

Conclusion

The effectiveness of traffic filtering hinges largely on its packet classification accuracy. False positives can lead to unnecessary consumption of network resources while false negatives leave applications and threats unaddressed. First packet classification, for example, requires accurate classification from the first packet so that appropriate security and traffic policies can be applied in time. Accuracy is therefore one of the defining qualities of any network traffic classification engine. The ability of R&S®PACE 2 and R&S®vPACE to deliver virtually no false positives is clearly a testament to its standing as a leading DPI engine.

Sources

[1] https://www.politesi.polimi.it/bitstream/10589/133211/3/2017_04_Moro.pdf

Christine Lorenz portrait

Christine Lorenz

Contact me on LinkedIn

Christine is DPI marketing expert at ipoque, joining the company in 2013. With her background in marketing communications, she is passionate about making people aware of the capabilities of traffic analytics and DPI use cases. Christine is a lover of Vietnamese food and spends most of her spare time running and cycling, exploring nature and the outdoors.

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for the ipoque newsletter

Stay informed about the latest advances and trends in
deep packet inspection and network traffic visibility