Challenges in the implementation of systems for deep packet inspection by the method of full protocol decoding
https://doi.org/10.15514/ISPRAS-2023-35(4)-2
Abstract
This paper presents a summary of experience in developing the deep packet inspection system using full protocol decoding. The paper reviews the challenges encountered during implementation and provides a high-level overview of the solutions to these issues. The challenges can be grouped into two groups. The first group is related to the fundamental tasks which must be addressed when implementing full protocol decoding systems. This includes ensuring correct protocol parsing, which involves identifying and interpreting protocol headers and fields correctly. Moreover, it is necessary to ensure the processing of fragmented packets and the assembly of fragments into the original message. Additionally, the processing and analysis of encrypted traffic is a crucial task that may require the use of specialized algorithms and tools. The second group of problems is related to optimizing the process of full protocol decoding to ensure high-speed traffic processing, as well as supporting new protocols and the ability to add user-defined extensions. While there are open-source systems that address some of the primary issues associated with full protocol decoding, there may be a need for additional effort and specialized solutions to efficiently operate and expand the functionality of such systems. Although implementing deep network traffic analysis tools using full protocol decoding requires the use of advanced hardware and software technologies, the benefits of such analysis are significant. This approach provides a more complete understanding of network traffic patterns and enables more effective detection and prevention of cyber-attacks. It also allows for more accurate monitoring of network performance and the identification of potential bottlenecks or other issues that may impact network efficiency. In this article, we also emphasize the importance of system architecture development and implementation to ensure the successful deployment of deep network traffic analysis tools using full protocol decoding. At last, we conducted an experiment where several advanced optimizations were implemented in the system that had already solved primary issues. These optimizations related to working with memory, based on the features of the traffic processing scheme. By results, we evaluated significant performance improvement in solving secondary tasks, described in this work.
About the Authors
Roman Evgenevich PONOMARENKO
Ivannikov Institute for System Programming of the Russian Academy of Sciences
Russian Federation
Russian Federation
PhD student, intern researcher at ISP RAS. Research interests: software architecture, program optimization, deep packet inspection.
Vladislav Igorevich EGOROV
Ivannikov Institute for System Programming of the Russian Academy of Sciences
Russian Federation
Russian Federation
PhD student, intern researcher at ISP RAS. Research interests: processing, analysis and storage of network traffic analysis results.
Aleksandr Igorevich GETMAN
Ivannikov Institute for System Programming of the Russian Academy of Sciences,
Moscow Institute of Physics and Technology (National Research University),
National Research University «Higher School of Economics»,
Lomonosov Moscow State University
Russian Federation
Russian Federation
Ph.D in physical and mathematical sciences, senior researcher at ISP RAS, assistant at CMC MSU and MIPT, associate professor at HSE. Research interests: binary code analysis, data format recovery, network traffic analysis and classification.
References
1. Brunnström K., Beker S., De Moor K., Dooms A., Egger S., Garcia M., Hoßfeld T., Jumisko-Pyykkö S., Keimel C., Larabi C., Lawlor B., Le Callet P., Möller S., Pereira F., Pereira M., Perkis A., Pibernik J., Pinheiro A., Pibernik J., Raake A., Reichl P., Reiter U., Schatz R., Schelkens P., Skorin-Kapov L., Strohmeier D., Timmerer C., Varela M., Wechsung I., You J., Zgank A. Qualinet white paper on definitions of quality of experience. – 2013.
2. Gallagher, R. Sandvine Pulls Back From Russia as US, EU Tighten Control on Technology It Sells / R. Gallagher. – Текст: электронный // Bloomberg: [сайт]. – URL: https://www.bloomberg.com/news/articles/2022-06-03/sandvine-pulls-back-from-russia-as-us-eu-tighten-control-on-technology-it-sells 03.06.2022 (дата обращения: 29.06.2023).
3. Афанасьева, О. Positive Technologies разрабатывает собственный NGFW / О. Афанасьева. – Текст: электронный // Anti-Malware.ru: [сайт]. – URL: https://www.anti-malware.ru/news/2023-01-13-118537/40305 13.01.2023 (дата обращения: 28.06.2023).
4. Афанасьева, О. РТК-Солар показала импортонезависимый NGFW / О. Афанасьева. – Текст: электронный // Anti-Malware.ru: [сайт]. – URL: https://www.anti-malware.ru/news/2023-04-13-118537/40945 13.04.2023 (дата обращения: 28.06.2023).
5. Королёв, И. В России вложат более 3 миллиардов в разработку межсетевых экранов нового поколения / И. Королёв. – Текст: электронный // CNews: [сайт]. – URL: https://www.cnews.ru/news/top/2023-04-14_v_rossii_vlozhat_bolee_3_mlrd 14.04.2023 (дата обращения: 28.06.2023).
6. Christopher Parsons. Deep Packet Inspection in Perspective: Tracing its lineage and surveillance potentials // Working Paper, January 2009
7. Маркин Ю. В. Методы и средства углубленного анализа сетевого трафика //автореферат дис. кандидата технических наук/Ин-т систем. программирования. Москва. – 2017.
8. Ким Д., Рыжков В. NTA, IDS, UTM, NGFW – в чем разница? / Д. Ким, В. Рыжков – Текст: электронный // SecurityLab.ru: [сайт]. – URL: https://www.securitylab.ru/analytics/517592.php 19.03.2021 (дата обращения: 05.07.2023).
9. Klein, M. Introduction to modern network load balancing and proxying / M. Klein. – Текст: электронный // The official Envoy Proxy blog: [сайт]. – URL: https://blog.envoyproxy.io/introduction-to-modern-network-load-balancing-and-proxying-a57f6ff80236 28.12.2017 (дата обращения: 29.05.2023).
10. Çelebi M., Özbilen A., Yavanoğlu U. A comprehensive survey on deep packet inspection for advanced network traffic analysis: issues and challenges //Niğde Ömer Halisdemir Üniversitesi Mühendislik Bilimleri Dergisi. – vol. 12. – №. 1. – pp. 1-29.
11. Ларин Д. В., Гетьман А. И. Средства захвата и обработки высокоскоростного сетевого трафика //Труды Института системного программирования РАН. – 2021. – т. 33. – №. 4. – с. 49-68.
12. Pismenny, B., Eran, H., Yehezkel, A., Liss, L., Morrison, A., Tsafrir, D. Autoomous NIC noffloads //Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. – 2021. – С. 18-35.
13. Borisov, N., Brumley, D., Wang, H. J., Dunagan, J., Joshi, P., Guo, C. Generic Application-Level Protocol Analyzer and its Language //NDSS. – 2007.
14. Engelen G., Rimmer V., Joosen W. Troubleshooting an intrusion detection dataset: the CICIDS2017 case study //2021 IEEE Security and Privacy Workshops (SPW). – IEEE, 2021. – с. 7-12.
15. Гетьман, А. И., Горюнов, М. Н., Мацкевич, А. Г., Рыболовлев, Д. А. Методика сбора обучающего набора данных для модели обнаружения компьютерных атак //Труды Института системного программирования РАН. – 2021. – т. 33. – №. 5. – с. 83-104.
16. Рекомендация МСЭ-Т Y.2770 - Требования к углубленной проверке пакетов в сетях последующих поколений.
17. Гетьман, А. И., Иванников, В. П., Маркин, Ю. В., Падарян, В. А., Тихонов, А. Ю. Модель представления данных при проведении глубокого анализа сетевого трафика //Труды Института системного программирования РАН. – 2015. – т. 27. – №. 4. – с. 5-22.
18. Andrew Moore, James Hall, Christian Kreibich, Euan Harris, and Ian Pratt. Architecture of a Network Monitor // International Workshop on Passive and Active Network Measurement, PAM 2003
19. Bukac V. IDS system evasion techniques //Master. Masarykova Univerzita. – 2010.
20. Bujlow T., Carela-Espanol V. Comparison of Deep Packet Inspection (DPI) Tools for Traffic Classification. – 2013.
21. Satrya G. B., Nugroho F. E., Brotoharsono T. Improving network security-a comparison between ndpi and l7-filter //International Journal on Information and Communication Technology (IJoICT). – 2016. – vol. 2. – №. 2. – pp. 11-11.
22. ndpi-netfilter – Текст: электронный // github.com: [сайт]. – URL: https://github.com/betolj/ndpi-netfilter (дата обращения: 10.07.2023).
23. nDPId: Tiny nDPI based deep packet inspection daemons / toolkit – Текст: электронный // github.com: [сайт]. – URL: https://github.com/utoni/nDPId (дата обращения: 10.07.2023).
24. ntopng – Текст: электронный // ntop: [сайт]. – URL: https://www.ntop.org/products/traffic-analysis/ntop/ (дата обращения: 10.07.2023).
25. C. Shen, L. Huang, On detection accuracy of L7-filter and OpenDPI, in: 2012 Third International Conference on Networking and Distributed Computing (ICNDC), IEEE, Hangzhou, China, 2012, pp. 119–123, dOI: 10.1109/ICNDC.2012.36.
26. R. Goss, R. Botha, Deep Packet Inspection – Fear of the Unknown, in: Information Security for South Africa (ISSA), 2010, IEEE, Sandton, Johannesburg, South Africa, 2010, pp. 1–5, dOI: 10.1109/ISSA.2010.5588278
27. Capture, Filter, Extract Traffic using Wireshark and PF_RING. – Текст: электронный // ntop: [сайт]. – URL: https://www.ntop.org/pf_ring/capture-filter-extract-traffic-using-wireshark-and-pf_ring/ 04.04.2017 (дата обращения: 10.07.2023).
28. Chapter 7. How Wireshark Works – Текст: электронный // ntWiresharkop: [сайт]. – URL: https://www.wireshark.org/docs/wsdg_html_chunked/ChWorksOverview.html (дата обращения: 24.07.2023).
29. 5. How to reassemble split packets. – Текст: электронный // wireshark: [сайт]. – URL: https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectReassemble.html (дата обращения: 28.06.2023).
30. tshark(1) Manual Page. – Текст: электронный // Gitlab: [сайт]. – URL: https://gitlab.com/wireshark/wireshark/-/blob/master/doc/tshark.adoc (дата обращения: 28.06.2023).
31. Chapter 9. Packet Dissection. – Текст: электронный // Wireshark: [сайт]. – URL: https://www.wireshark.org/docs/wsdg_html_chunked/ChapterDissection.html (дата обращения: 28.06.2023).
32. Chapter 11. Wireshark’s Lua API Reference Manual. – Текст: электронный // Wireshark: [сайт]. – URL: https://www.wireshark.org/docs/wsdg_html_chunked/wsluarm_modules.html (дата обращения: 28.06.2023).
33. Chapter 14. Creating ASN.1 Dissectors. – Текст: электронный // Wireshark: [сайт]. – URL: https://www.wireshark.org/docs/wsdg_html_chunked/CreatingAsn1Dissectors.html (дата обращения: 28.06.2023).
34. Свид. 2019614453 Российская Федерация. Свидетельство об официальной регистрации программы для ЭВМ. Ядро системы глубокого разбора пакетов «ПРОТОСФЕРА» / А. И. Аветисян, С. С. Гайсарян, А. И. Гетьман, Ю. В. Маркин, Д. О. Обыденков, В. А. Падарян, А. Ю. Тихонов; Правообладатель: Федеральное государственное бюджетное учреждение науки Институт системного программирования им. В.П. Иванникова Российской академии наук (RU). – №2019613262; заявл. 28.03.2019; опубл. 04.04.2019, Реестр программ для ЭВМ. – 1 с.
35. KnownBugs - OutOfMemory. – Текст: электронный // Wireshark Wiki: [сайт]. – URL: https://wiki.wireshark.org/KnownBugs/OutOfMemory.md (дата обращения: 28.06.2023).
36. Multithreading. – Текст: электронный // Wireshark Wiki: [сайт]. – URL: https://wiki.wireshark.org/Development/multithreading (дата обращения: 28.06.2023).
37. Garg R. P., Sharapov I. A. Techniques for optimizing applications: high performance computing. – Palo Alto: Sun Microsystems Press, 2002. – С. 394.
38. MapReduce Tutorial. – Текст: электронный // Apache Hadoop: [сайт]. – URL: http://apache.github.io/hadoop/hadoop-mapreduce-client/hadoop-mapreduce-client-core/MapReduceTutorial.html (дата обращения: 29.06.2023).
39. Larin D. V., Get’man A. I. Tools for Capturing and Processing High-Speed Network Traffic //Programming and Computer Software. – 2022. – vol. 48. – №. 8. – pp. 756-769.
40. Llopis N. Data-Oriented Design (Or Why You Might Be Shooting Yourself in The Foot With OOP) / Llopis N. – Текст: электронный // Games from Within: [сайт]. – URL: https://gamesfromwithin.com/data-oriented-design 04.12.2009 (дата обращения: 29.05.2023).
41. Llopis N., Touch S. High-performance programming with data-oriented design //Game Engine Gems. – 2011. – vol. 2. – pp. 251-261.
42. Fabian R. Data-oriented design //framework. – 2018. – vol. 21. – pp. 1.7.
43. Spicy – Generating Robust Parsers for Protocols & File Formats. – Текст: электронный // Spicy: [сайт]. – URL: https://docs.zeek.org/projects/spicy/en/latest/index.html (дата обращения: 29.06.2023).
44. BPF: the universal in-kernel virtual machine. – Текст: электронный // Linux Weekly News: [сайт]. – URL: https://lwn.net/Articles/599755/ (дата обращения: 28.06.2023).
45. bpftrace. – Текст: электронный // github.com: [сайт]. – URL: https://github.com/iovisor/bpftrace (дата обращения: 28.06.2023).
46. Maughan D., Schertler M., Schneider M., Turner J. Internet Security Association and Key Management Protocol (ISAKMP) IETF RFC № 2408 // IETF. - 1998 г. - № 2408
47. Fielding R., Gettys J., Mogul J., Frystyk H., Masinter L., Leach P., Berners-Lee T. Hypertext Transfer Protocol - HTTP/1.1 IETF RFC № 2616 // IETF. - 1999 г. - № 2616
Supplementary files
|
|
1. Generalized representation of the process of network traffic analysis | |
| Subject | ||
| Type | Материалы исследования | |
View
(81KB)
|
Indexing metadata ▾ | |
|
|
2. Representation of metadata as an array of large structures | |
| Subject | ||
| Type | Материалы исследования | |
View
(32KB)
|
Indexing metadata ▾ | |
|
|
3. Representation of metadata in the form of arrays of small related structures | |
| Subject | ||
| Type | Материалы исследования | |
View
(29KB)
|
Indexing metadata ▾ | |
Review
For citations:
PONOMARENKO R.E., EGOROV V.I., GETMAN A.I. Challenges in the implementation of systems for deep packet inspection by the method of full protocol decoding. Proceedings of the Institute for System Programming of the RAS (Proceedings of ISP RAS). 2023;35(4):45-64. (In Russ.) https://doi.org/10.15514/ISPRAS-2023-35(4)-2
Email this article 