Winning in an app-centric world: How DPI’s latest traffic signatures keep networks ahead of the game

John Bonzey portrait

By John Bonzey
Published on: 09.02.2021

While mobile apps started as limited task management and productivity tools like email and calendars on businesspersons’ Blackberries, in the blink of an eye, there is now “an app for that” for everything in the world.

With this phenomenal growth that continues to push the boundaries of our digital world, however, comes a number of challenges, especially in the areas of security and traffic management. Tools have proliferated to address these challenges, among them deep packet inspection (DPI), a traffic identification and classification technique widely deployed on IP networks. DPI extends traditional packet filtering to behavioral and statistical analysis, covering both encrypted and non-encrypted data.

Via metadata extraction and pattern matching, DPI provides real-time classification of the underlying traffic, identifying applications, application attributes, user information and traffic attributes such as speeds and latency as well as anomalies and irregularities. Incorporated into network functions such as routers, gateways and firewalls, DPI is able to provide the intelligence necessary to reroute, quarantine or block traffic and create activity logs necessary for traffic reporting and analysis.

That said, pattern matching by DPI deploys comprehensive traffic signature libraries. This inevitably requires DPI libraries to be updated frequently and ideally once per week so that latest traffic and threat patterns are readily identifiable.

App traffic continues to grow massively

We can see why frequent updates to DPI libraries will become critical over the coming years. Every day, the world produces 2.5 quintillion bytes of data1. Added up, this amounts to 58 zettabytes of data created in 20202. This is up from just 15.5 zettabytes in 2015—and is expected to go up to 149 zettabytes by 2024. This is mostly because of the growth of the app economy over the last decade: An estimated 130 billion apps were downloaded in 2020, up 10 % from 20193 and up from a meager 8 billion in 20104. Furthermore, it is likely that the COVID-19 pandemic may accelerate these trends even faster than previously expected, as more employees work remotely and as more cloud infrastructure is built to enable this.

For example, while mobile payment apps were already growing in popularity due to the transition to cashless economies in the Asia-Pacific and Latin America, the pandemic has accelerated their uptake due to the need for contactless payment function. While the global mobile money market was just $3.4 billion in 2019, it is expected to grow to $12 billion by 20245.

The pandemic has also triggered a boom in video streaming apps. For remote work, apps like Zoom have flourished. Telemedicine has also seen a watershed year, with an estimated 1 billion of virtual medical appointments taken place in the US in 20206. Lastly, there is the ongoing rise of user-generated social media content, most notably with TikTok, which was the most downloaded app of 20203.

As in previous years, social media apps in general are the most downloaded apps. In 2020, after TikTok, for downloads across the Apple App Store and Google Play Store, the charts7 are topped by Facebook, WhatsApp, Facebook Messenger, Instagram, and then Zoom. Since the start of the pandemic, social media use increased by 42 % in the first half of 20208. However, in terms of categories of apps that are most used, gaming apps still take the lion’s share of the total apps on peoples’ phones9,10.

Policing app traffic via DPI

DPI enables different app traffic to be managed differently. Whether it is telecom or company networks, prioritization and policy-based traffic management requires identification of the underlying apps. Some kinds of app traffic, for example, video calling on weekdays, need to be granted priority, given a network’s limited bandwidth. DPI enables prioritized traffic to be identified in real time and forwarded accordingly. This identification also helps in content caching, optimization and in bypassing certain firewalls.

In terms of security, DPI lends intelligence to firewalls, IDS and IPS functions, and enables them to arrest malicious app traffic quickly. DPI’s ability to identify obfuscated traffic, for example, can help identify hidden malware, spyware, botnets and other intrusions. Network administrators can use DPI to monitor for misuse of their networks. The use of network connectivity for illicit activities such as prohibited content on social media apps and unauthorized tethering can be identified instantly and the traffic blocked.

As frequent as possible

Frequently updated traffic signatures greatly enhance traffic visibility and the accuracy of network performance and security reports. This provides network operators and network administrators with the tools to enhance their networks and services. For example, by having the latest information on which apps are trending on the network, a mobile operator can incorporate these in their next mobile plans. Frequent updates also enable network operators to cache trending content, saving on bandwidth and network resources.

The frequency of DPI library updates also directly impacts the effectiveness of network security measures. All the data flowing between today’s apps ultimately resides in global information and telecom networks that need to be secured. Unfortunately, these are the same networks targeted by perpetrators of cybercrime. Malware infections, for example, had risen from 30 million in 2010 to 812.7 million in 201811. This number has grown vastly in 2020 due to the COVID-19 pandemic and recession. The UN estimates that 2020 saw a 600 % increase in malicious emails12. At the same time, the average global cost a company faces because of a cyberattack has increased as well, from $3.5 million in 2015 to $3.92 million in 2019, indicating that attacks have also become more dangerous11. Given the pace at which data proliferates in our world, and because of the exploit vulnerability of this data explosion, it is all the more necessary for DPI vendors to update and add new regular expressions to the libraries of their DPI engines, at the very least once every week.

Not keeping the library updated regularly means that the DPI engine may not match all signatures. The good news is: Our OEM engine R&S®PACE 2 takes care of updates seamlessly and has been earning its trust with a wide range of global customers in the network management and IT security field for many years. Our dedicated laboratories led by our traffic forensics teams analyze gigabits of traffic on the network every hour and provide updates to our DPI libraries almost instantly. By using a wide variety of leading-edge classification techniques, such as machine learning (ML) or behavioral and statistical analysis, we ensure the highest classification accuracy on the market. Combining such techniques enables R&S®PACE 2 to classify applications and protocols reliably despite encryption and obfuscation.

    The R&S®PACE 2 DPI engine, whether deployed as a proprietary appliance or as a virtualized network function, provides cloud-based updates that enable traffic on any network to be matched against the most updated signature libraries.

    Adoption of best practices in network management and security is now more important than ever. As traffic patterns change at breakneck speed, the techniques in filtering, optimizing and directing this traffic must too. DPI software tools are a great way to do this, and those tools maintained with the latest app and threat signatures do best.

    Download our R&S®PACE 2 solution guide and find out how you can boost your solution with accurate application classification for reliable network visibility.


    1 Data Never Sleeps 5.0 - Domo - 2018 (
    2 Information created globally 2010-2024 - Statista - 2020 (
    3 2020: What Happened in Mobile and How to Succeed in 2021 - App Annie - 2020 (
    4 Mobile app downloads hit 8 billion in 2010 - ITProToday - 2011 (
    5 Diversified Regulations & Policies Across Regions and Limited Network Coverage in Developing Regions Challenge the Industry - PR Newswire - 2020 (
    6 US Virtual Care Visits To Soar To More Than 1 Billion - Forrester - 2020 (
    7 ‘Most-downloaded apps’ on Android and iPhones in 2020 - Gadgets Now - 2021 (
    8 Digital Use Around the World in July 2020 - We Are Social - 2020 (
    9 Google Play most popular app categories - Statista - 2020 (
    10 Apple:most popular app store categories - Statista - 2020 (
    11 The Ultimate List Of Stats, Data & Trends - PurpleSec - 2020 (
    12 The Latest: UN warns cybercrime on rise during pandemic - ABC News - 2020 (

    John Bonzey portrait

    John Bonzey

    Contact me on LinkedIn

    John Bonzey is the sales manager for the American market, which he opened successfully for ipoque since joining Rohde & Schwarz back in 2013. John has strong expertise in software and hardware system solutions for network operators, enterprise and OEM market segments. John lives with his family in Boston, Massachusetts and is a passionate ice hockey player and adventurous snowmobiler.


    Related material

    ipoque blog - discover the latest news and trends in IP network analytics

    Sign up for our newsletter

    Stay informed about the latest news and insights from ipoque