Deep Packet Inspection (DPI) is used for in-depth analysis of the packets sent over the internet. All the communication that happens over the internet makes use of ‘packets’ to transfer data. It includes our VOIP calls (like Skype), websites we visit, and the emails we send.
We can compare a data packet with our traditional mailing system where a letter contains information like name and address of the sender and receiver along with the content for the intended receiver. The postal service will be able to make use of the address mentioned on the cover to deliver the letter and does not check the content inside it. The packets sent over the Internet are routed similarly; each packet contains the source and destination IP address which is used to successfully deliver packets to the intended recipients. Different hops present in the path will not look at the body/content of a packet. It makes use of the destination address to route it. Packet Inspection is not a new concept; DPI is an addition to this existing technique, which takes the packet inspection game to another level.
SPI inspects the packet’s header to identify the source and destination IP address. The information obtained is used for routing the packet to the destination address. Its scope is limited to the layer 2 and 3 of the OSI model. Generic firewalls make use of this type of inspection methodology to block the unwanted connections from the blacklisted IPs.
MPI points to application proxies/device which acts as an intermediary service between the end user and the Internet gateways. The sole purpose of these proxies is to analyze the packet headers, including the type of the packet based on its data format and compare it with the loaded parse-list to allow or refuse its transmission. The pre-loaded parse list can be updated anytime by the administrator. Instead of making a decision based on IP address, MPI takes into consideration the packet type to perform the action.
DPI allows us to inspect the packets beyond the header and footer. It can dig deeper and get some granular information like the application to which the packet belongs and the packet content.
The introduction of the DPI brings analysis of the packet content into the picture, which can be used for several purposes. It can help in identifying malicious packets, intrusions, and while performing traffic management as well.
DPI strips down the header and footer from the packet and inspects the payload to perform signature matching, looking for specific strings and other details.
Application of DPI on a large scale requires high-end computing resources for the analysis of collected data. The analysis can also introduce latency in the transmission of the packets. DPI can be applied through a physical device or software application.
There are several methods that are used by DPI to perform the inspection. Some of the popular methods used include port-based, statistical, and automation-based approaches. Port-based is the standard protocol identification approach that inspects the port fields in the TCP/UDP headers for the commonly assigned port numbers to the respective protocol. In statistical analysis, the focus is on the classification of the traffic rather than payload and gathering generic information like packet length, port numbers to classify the traffic. The automation-based approach is the widely preferred pattern/regular expression matching technique which uses a finite state machine for pattern matching. It includes the following state: initial state, acceptance state for matching the patterns, and intermediate states for partial matching cases. Matching begins with the initial state when a payload string enters the automation engine, and if the process reaches the final state, it means that the match is found.
Optimization of network traffic by ISP: