Using DPI Inside a Security Product: How Do They Do That?

Using DPI inside a security product

Interview with Erik Larsson, Senior Vice President Marketing & Communication, Enea

Deep Packet Inspection (DPI) is a key technology in cybersecurity, used in next-generation firewalls and analytics platforms to provide detailed traffic understanding up to the application level. For most security vendors, sourcing a commercial DPI engine from a specialist has become the preferred method for integrating DPI into their products, since it frees up internal resources and speeds up product development.

How does a commercial DPI engine work inside a security product?

• First, network traffic is captured using for example Intel® DPDK libraries for fast packet processing.

• Packet flows are then inspected by the DPI engine, using a combination of techniques such as behavioral recognition, regexp, statistical analysis, and flow correlation.

• Next, the DPI engine classifies traffic flows up to the application layer and extracts additional information in the form of metadata or even full content (for ex. for forensics).

• The traffic information is passed on to reporting and policy functions, which send flow processing instructions to the security application.

• The security application makes flow processing and security enforcement decisions based on the DPI engine’s analysis. The picture below shows the main steps.

DPI Engine Analysis Steps

What are some typical security products using DPI?

NG Firewalls
The DPI engine identifies applications based on protocol grammar analysis, not ports. It can even identify actions within an application (such as login, browse, chat, file transfer, etc.). In addition, it extracts communications metadata such as message senders and receivers, and names of files shared or attached in an application.

Malware Protection
Solutions for malware protection, data loss prevention (DLP) and threat analysis need to dig deep into the payload of network traffic. In this case, a DPI engine is used to classify protocols, and extract metadata and file content. This gives developers the ability to expose file movements at the network level to track potential malware and data exfiltration.


More info on Qosmos DPI engine for cybersecurity solutions