DFI (deep/dynamicflow inspection, depth/dynamic flow detection) __ Flow

DFI adopts an application recognition technique based on traffic behavior, that is, different application types are different in the state of session connection or data flow. For example, the network IP voice traffic reflected in the flow state of the characteristics are very obvious: the RTP packet length is relatively fixed, generally in the 130~220byte, the connection rate is low, for 20~84KBIT/S, while the session duration is relatively long And the traffic model based on peer-to-peer downloading is characterized by average packet length above 450byte, long downloading time, high connection rate, TCP and so on the preferred Transport layer protocol. DFI technology is based on the behavior of this series of traffic characteristics, set up a traffic characteristic model, through the analysis of the session connection flow packet length, connection rate, transmission byte volume, packet and packet spacing between the information and traffic model to compare, so as to achieve the identification application type.
DFI only to the flow behavior analysis, so only the corresponding type of general classification, such as the application to meet the Peer-to-peer flow model of unified identification for the Peer-to-peer flow, the network voice traffic model is classified as a unified VoIP traffic, but can not determine whether the flow of the use of H.323 or other protocols. If the packet is encrypted transmission, the DPI-mode flow control technology can not identify its specific application, and the DFI mode of the flow control technology is not affected, because the application of the state behavior characteristics of the flow will not be fundamentally changed by encryption.

Traffic anomaly model is to apply baseline template (Baseline Template) to the user-defined monitoring range (Internet, interconnected autonomous domain, subnet, router, server, interface, monitoring conditions, etc.) The traffic anomaly detection model mainly relies on the system to form the flow baseline of the normal flow in the network, and then dynamically analyze the abnormal traffic in the network according to the network traffic model, in order to discover the traffic surge and the sudden reduction in the network at the earliest time. For different network monitoring range, users can use the definition of different traffic baseline template for monitoring. The system supports the automatic establishment and updating of traffic baselines, and allows administrators to manually set and adjust baseline parameters and value periods, and to exclude certain specific days of abnormal traffic attacks from being included in the calculation to avoid affecting the accuracy of baselines. By setting the parameters, the system can divide the severity of network abnormal traffic into several levels according to the influence of network efficiency, including: normal, moderate anomaly (yellow), height anomaly (red), and allow users to set appropriate parameters for each detection range through parameter setting.