Nowhere to hide: Using deep packet inspection for threat detection

Christine Lorenz portrait

by Christine Lorenz
published on: 07.03.2023

Cybersecurity threats on IP networks are on the rise, with cyberattacks becoming increasingly frequent and sophisticated. According to a report by Cybersecurity Ventures, cybercrime will cost the world $10.5 trillion annually by 2025, up from $3 trillion in 2015 1. As organizations become more reliant on digital technologies, the risk of cyberattacks on networks continues to increase, making it a growing concern for businesses, governments, and individuals alike.

Threat detection – a crucial security apparatus

There are several tools and software solutions available for threat detection and preventions. Next-generation firewalls provide advanced network security features, such as intrusion prevention, web filtering, and application control. Intrusion prevention and detection systems detect and prevent unauthorized access to networks and alert security personnel of potential threats. Advanced threat protection uses machine learning and other advanced techniques to detect and prevent sophisticated cyberattacks. Data loss prevention tools monitor and control the transfer of sensitive data and prevent data breaches. Other tools include antivirus and anti-malware software, security information and event management (SIEM) systems, and network access control (NAC) solutions, among others.

Helping the detective

A key component of threat detection is network traffic analysis. Without real-time traffic intelligence into applications and services, as well as traffic behavior at a packet- and flow-level, threat detection tools would have to rely on lengthy analysis of traffic logs and flow records before security incidents can be uncovered or diagnosed. Traffic intelligence is provided by network visibility tools, and deep packet inspection (DPI) is one of them.

The DPI solutions by ipoque, comprising R&S®PACE 2 and R&S®vPACE, are software engines that can be integrated into any networking solution to cover a wide variety of telco and cybersecurity use cases. These networking solutions include firewalls, load balancers, policy control engines, network assurance solutions, and network analytics tools. Leveraging cutting-edge classification techniques, R&S®PACE 2 and R&S®vPACE can detect applications and services. R&S®PACE 2 and R&S®vPACE also deliver accurate, reliable information on network traffic that is malicious or that displays anomalies and irregularities.

Improving threat detection dynamics with deep traffic intelligence

DPI identifies and classifies protocols, applications and services. Network administrators can use this information to create rules/policies based on specific protocols, applications and services. For example, they can accord riskier applications with lower tolerance thresholds for changes in packet behavior compared to low-risk applications such as social media and file transfers. In its article 2, TechBeacon shared a list of iOS applications that were found to be high risk. This included WhatsApp Messenger, Pokémon GO, WinZip Utilities, CamScanner Productivity, Plex, WeChat and Facebook Messenger. This type of information can be used by administrators to develop application-aware security policies. This helps security tools to apply different levels of scrutiny/ filtering for different traffic flows, which can improve the accuracy and effectiveness of threat detection.

R&S®PACE 2 and R&S®vPACE are able to identify anomalous, suspicious, and malicious threat patterns on a network. Leveraging this information, security tools can focus specifically on potentially harmful packets rather than filtering all flows, which induces network latency. Security tools, for example an intrusion detection system, can use granular traffic information provided by deep packet inspection for selective filtering, where it selects only specific flows based on its own inspection criteria. Built-in DPI thus not only helps security tools increase threat detection efficiency, but also ensures all layers of scrutiny – from malware detection to DDoS attack identification – is in place, without compromising network performance.

The information on anomalous, suspicious, and malicious threat patterns gathered by DPI software also facilitates packet capture. It allows security tools to focus on potentially harmful flows, even before an incident alert is triggered. Packet capture is crucial in explaining and delivering forensics across any security event. It helps administrators to identify the event trail and unearth the exact mechanisms used by threat actors to launch an attack on the network. Without DPI, packet capture can be resource and storage intensive.

Performance effects and threats

Deep packet inspection delivers insights on network KPIs such as packet loss, jitter, time-to-first-byte, speeds, latency, and bandwidth consumption. Security tools can be programmed to identify threats based on changes in these KPIs. For example, irregularities in speeds, packet loss, or latencies derived from the known norms of a given application, service, or time period may indicate something is amiss. A study found that malicious traffic increased DNS latencies by 230 % and web latencies by 30 % 3. The real-time granular data on traffic attributes provided by DPI software makes it possible for any deviations from the expected performance metrics to be reported instantaneously to multiple security tools. This data can be particularly helpful in identifying data breaches or ongoing attempts to infiltrate the network.

Blocklist, allowlist – what’s on the watch list?

R&S®PACE 2 and R&S®vPACE help security tools build an enterprise or telecom network's own blocklist and allowlist protocols and applications instead of relying on global lists that may not be reflective of an organization’s unique security profile. Combining DPI and metadata extraction provides insights into the protocols and applications that have been most detrimental to an organization’s security and the attack vectors associated with each of them. This helps administrators maintain an updated watch list that is aligned with their own risks and vulnerabilities, improving their overall security posture.

The DPI product series by ipoque also enables security tools to extract comprehensive data from all layers, creating a security analytics repository beyond blocklists/allowlists. This helps to identify all other vulnerable points relating to both hardware and software in the network. Vulnerable points can be in terms of equipment such as specific VMs, servers and CPEs, points of entry such as specific VPNs, SASE/SSE points of presence, networks such as branch networks / cloud networks, and devices such as CPEs and employee devices.

What about encrypted traffic analytics?

A growing concern for today’s security vendors is the rise in encrypted traffic flows. Encryption, while beneficial in safeguarding the privacy of data passing through the network, can work to the advantage of threat actors. Encrypted packets can be used to disguise malware, ransomware and other malicious activity, such as data theft and data infiltration. DPI technology from ipoque incorporates encrypted traffic intelligence (ETI) which uses deep learning, machine learning and high-dimensional data analysis to classify encrypted applications and services in real time. Administrators are able to perform encrypted threat analytics by tracking malicious packets and irregularities on the network without having to perform extensive decryption that can have regulatory, confidentiality and cost implications.

Once bitten, twice shy

Past experiences often pave the way for future prevention. In the case of cyber threats, real time network traffic intelligence can supply deep insights on past events as well as current events. This equips administrators with the knowledge necessary to safeguard their enterprises from adversaries preying on their networks and assets. Whether it is an AI-powered attack or an operational technology (OT) attack, enterprises can count on deep packet inspection to bolster their threat detection and mitigation systems with insights that cut across all types of applications and services.


Sources

[1] https://www.prnewswire.com/news-releases/cybercrime-to-cost-the-world-10-5-trillion-annually-by-2025--301172786.html
[2] https://techbeacon.com/security/20-most-dangerous-mobile-apps-how-best-mitigate-risk
[3] https://cpham.perso.univ-pau.fr/TCP/02-779.pdf

Christine Lorenz portrait

Christine Lorenz

Contact me on LinkedIn

Christine is DPI marketing expert at ipoque, joining the company in 2013. With her background in marketing communications, she is passionate about making people aware of the capabilities of traffic analytics and DPI use cases. Christine is a lover of Vietnamese food and spends most of her spare time running and cycling, exploring nature and the outdoors and dreaming of becoming a ranger in a national park.

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for the ipoque newsletter

Stay informed about the latest advances and trends in
deep packet inspection and network traffic visibility