Hello Folks 👋, Welcome to Bug XS Blog.
In this blog I am going to explain about Deep Packet Inspection (DPI).
Deep Packet Inspection (DPI) is a kind of Data Analysis Method that inspects data being sent over a computer network in details. In Traditional Packet inspection we just look at headers,but in Deep Packet Inspection (DPI) we inspect data part as well. A image below will give you the gist about the same.
For Doing DPI, we should have access to encryption because all the traffic that goes into the network are in encrypted format and for doing DPI data should be unencrypted so that we can analyze it.
Mainly DPI is used by your Internet Service Provider (ISP) for monitoring data and rule out data which does not match the compliance rule. In Stateful or Traditional Packet inspection we can only know Where the packet is going, What Protocol it is using, What port it is using.
So the disadvantage lies here.What if attacker is sending malicious code through legitimate IP address?? Traditional Packet inspection can not stop this type of attacks. So, to mitigate this kinds of attacks DPI is used. DPI has three methods:
Port- Based Detection
Heuristic and Behavior Analysis
Let’s us understand all these methods one by one. You are going to enjoy this🤩
Port-Based Detection We all are aware that we do not keep every port open in a system for communication. isn't it? So, in Port-Based detection the DPI tools checks the port.If DPI tools checks the port associated with communication and also checks the port details in pre-existing database to identify the legitimacy of the traffic. If DPI tools finds that the port mentioned are not used for communication,then that communication is blocked BUT if there is the case of lateral movement, attacker will not use any ports,and Port-Base detection wont work!
Signature-Based Detection We can say that Signature based detection case is the most effective way to detect the threats.
What is signature?? Signature is the hash value of a malicious file that has been already saved before in the database. Yes, you are right, antivirus runs in similar manner. So the DPI tool created the hash value of data of each packet that is being transmitted and checks with existing database of malicious signatures.If signature matches then the packet is dropped. So, the downside of Signature Based detection is that is cannot stop zero day attacks as signatures of zero day attacks are unprecedented and database does not have that value.
Heuristic and Behavior-Based Detection As the name suggest,this method uses the behavior of the packet that is being sent. So, anything other than the normal or usual would create a alert. In Heuristic and Behavior-Based Detection a self learning algorithm is used. That is nothing but Artificial Intelligence. So, for example everyday a teachers in a school punch their card between 9 AM — 10 AM, so the server saves the data between that time but one day server receives similar kind of data at 1 AM in the morning,then this can be considered as attack as this scenario is unusual. So heuristic Engine (Shown in below picture) collects information from many devices and understand the network then only decision is made by the system that packet is malicious or normal thing.
Hope this blog was productive 🔥