Network Shunt-DPI Deep Packet Detection Technology and Its Functions

Tongteng Network Shunt, also known as the core network collector, is an important basic equipment for the network monitoring front-end in the network security field. It is an essential equipment for the entire network security! It plays a key role in network security! Currently, the fixed network has been upgraded to 400 GB, supporting different links. The mobile Internet signaling collection traffic has been upgraded to a GB interface, supporting different carriers to separately distribute traffic and IPv4 and IPv6! Today, we will introduce the popular Deep Packet detection technology and its functions! --- Network Shunt

Network Shunt ATCA Frame Type focuses on high-density and cost-effective

The Network Shunt cartridge supports 48 10 Gbit/s

The Network ATCA frame-type Network Shunt has a maximum of 14 slots, supports 480 10 GB and 76 100 GB, and the switching capability reaches 12.8 TB.

16-cell network shunt with the latest orthogonal architecture, with an exchange capability of 52.6 TB and a data processing capability of 26.5 TB

Network Shunt-DPI Deep Packet detection technology and functions

Rong | Teng mobile Internet signaling collection currently supports a maximum of 384 10g, 48g, and 96 10g, 14-groove ATCA Frame

DPI

DPI is called "Deep Packet Inspection" and "Deep Packet detection ". The so-called "depth" is similar to common packets.

In comparison with the analysis layer, "common packet detection" only analyzes the content of Lower Layer 4 of the IP packet, including the source address and destination

Addresses, source ports, destination ports, and protocol types. In addition to the preceding hierarchical analysis, DPI also adds application layer analysis,

The basic concepts for identifying various applications and their content are shown in:

DPI of Network Shunt

DPI Technical Principles

The key to DPI technology is to efficiently identify various applications on the network.

Common packet detection uses port numbers to identify application types. If the port number is 80, the application indicates

Internet applications. Some illegal applications on the current network will use hidden or fake port numbers to avoid detection and supervision

The data streams of legitimate packets are eroded by the network. L2 ~ Traditional detection methods on the L4 layer are no longer available.

DPI technology is to detect the content of data packets in the application stream to determine the real application of data packets. Because not

The application can hide the port number, but it is difficult to hide the Protocol features of the application layer.

DPI recognition technology can be divided into the following categories:

(1) Recognition Technology Based on "special characters"

Different applications usually rely on different protocols, and different protocols have their special fingerprints, which may be specific terminals.

Port, specific string, or specific bit sequence. The Recognition Technology Based on "feature character" identifies a specific datagram in a business flow.

Text

To determine the application carried by the business flow.

Based on different detection methods, the recognition technology based on "feature words" can be divided into fixed-position feature word matching and change

Location feature matching and State feature matching.

Through the upgrade of "fingerprint" information, feature-based recognition technology can be easily extended to implement the new Protocol

Detection.

The key to DPI is that it constantly identifies various characteristic characters in an unformatted data packet to implement the basic technology of this process.

That is, pattern matching. In layman's terms, it is a string match, that is, whether the search from the data exists

String. Generally, the target string is described using the standard regular expression syntax.

(2) Application Layer Gateway Recognition Technology

The control flow of some services is separated from the business flow, and the business flow has no characteristics. In this case, we need to use the application

Layer Gateway identification technology.

The Application Layer Gateway must first identify the control flow and parse it through a specific Application Layer Gateway Based on the control flow protocol.

Identifies the corresponding business flow in the Protocol content.

Different Application Layer gateways are required to analyze each protocol.

For example, sip and h323 protocols belong to this type. Sip/h323 obtains its data channel through the signaling interaction process and negotiation, which is generally

Audio streams encapsulated in RTP format. That is to say, purely detecting the RTP Stream does not mean that this RTP stream is created through that protocol.

. The complete analysis can be obtained only by detecting the Protocol interaction of SIP/h323.

(3) Behavior Pattern Recognition Technology

The behavior pattern recognition technology is based on the analysis of the behavior that has been implemented on the terminal to determine whether the user is performing the action or is about to implement it.

. Behavior pattern recognition technology is usually used to identify businesses that cannot be determined by protocol. Example: Spam

The business flow is exactly the same as the normal email business flow in terms of the email content, only by dividing user behavior

To accurately identify spam businesses.

The above three identification technologies are used to identify different types of protocols and cannot be replaced by each other. Huawei's DPI Technology Department

The Multi-Service Control Gateway (mscg) Hierarchical DPI solution is adopted in the DPI system. These three technologies are used in the detection

Both efficiency and flexibility are optimized.

DPI Technology Application

Deploying the DPI system in an IP network can achieve business identification, business control, and business statistics in network operations.

Function.

Business Identification

Generally, there are two methods for business identification: one is to activate legitimate services for the operator, and the other is required by the operator.

Business under supervision.

The former can be identified by a 5-tuple of a business flow, for example, a VoD Service. Its business flow address belongs to the location of the VOD server network segment.

The port is a fixed port. The system generally uses ACL to identify such businesses.

The latter requires DPI technology, through the aforementioned business identification method, through the analysis of IP packet content, through the Feature Word Query

Find or perform business behavior statistics to obtain the business flow type.

Business Control

After identifying various types of business flows through DPI technology, the combination conditions of network configurations, such as users, time, bandwidth, and historical streams

To control the business flow. Control methods include normal forwarding, blocking, bandwidth restriction, ×××, And Remarking priority.

.

To facilitate business operation, business control policies are generally configured in the Policy server and dynamically distributed after the User goes online.

Supports four 100 GB cartridges

Business Statistics

DPI's service statistics function is designed to intuitively measure the network's business traffic distribution and various user business usage, thus improving

Good discovery promotes business development and affects normal network operations, and provides a basis for network and business optimization. For example, mining

Users' attractive business, verify whether the service level has reached the SLA of the user's service level agreement, and make statistical analysis on the network

* ** The amount of traffic, the number of users using a certain game business, the number of services that consume the most network bandwidth and

The user has used illegal VOIP and so on.

Development of DPI Technology

We can see that the DPI detection technology and the anti-detection of abnormal applications on the network are the relationship between spear and shield. The DPI technology mentioned earlier is not

It remains static. With the development of detection technology, the hidden technology of unusual applications is also evolving. For example, partial data encryption and hiding

Hiding feature characters and avoiding detection through tunnel technology.

In the development of DPI technology, the above detection methods will be constantly adjusted to achieve high detection accuracy.

In short, DPI technology will gradually be widely used in security, business control, and other aspects, to provide

A powerful tool-Network Shunt

Network Shunt-DPI Deep Packet Detection Technology and Its Functions