Monday, March 26, 2012

DPI - A Client Approach for Application Identification

A new paper by Tomasz BujlowKartheepan BalachandranSara Ligaard HaldM. Tahir Riaz and Jens Myrup Pedersen (pictured) from Department of Electronic Systems Networking and Security Center for Network Planning of Aalborg University descibes a new approach for traffic classification.
"To overcome the drawbacks of existing methods for traffic classification (by ports, Deep Packet Inspection, statistical classification) a new system was developed, in which the data are collected and classified directly by clients installed on machines belonging to volunteers".

I wonder how such technology could be used by ISPs for traffic management (why would someone agree to install it?), or even for analytics (privacy concerns). Nevertheless,  some more quotes from the publication follows:
"Our approach combines the information obtained from the system sockets, the HTTP content types, and the data transmitted through network interfaces. It allows to group packets into flows and associate them with particular applications or types of service. This paper presents the design of our system, the implementation, the testing phase and the obtained results. The performed threat assessment highlights potential security issues and proposes solutions in order to mitigate the risks. Furthermore, it proves that the system is feasible in terms of uptime and resource usage, assesses its performance and proposes future enhancements. We released the system under The GNU General Public License v3.0 and published as a SourceForge project called Volunteer-Based System for Research on the Internet".

"Obtained results proved that the system is feasible, and capable of providing detailed information about the network traffic. Therefore, it can be useful for creating different applications traffic profiles".

See "Volunteer-Based System for classification of traffic in computer networks" - here.

1 comment:

  1. It’s always interesting to see packets-coloring evolve; thanks for reporting that.

    Similar client–based approaches, mainly focusing on bandwidth shaping applications, have been tested on the market in the last decade with limited success. Think about Centricity software (disappeared), Mobidia in Vancouver, with their Optimization & Subscriber-centric Policy (does not appear to be the focus anymore), as well as the first-to-market that I am aware of, Check Point Software, with their FloodGate-1 product (looking at their references to RealAudio and VDOlive in their product documents suggests me that the product has been on the back burner for long time now..).

    Anyways, I agree with you Azi that the end-users will definitively not want to install that on their computing devices voluntarily. IMO, in the long run, they will be forced to do so as I envision that this functionality will become part of Network Admission Control (NAC) clients and will be expected as part of Layer 3 network admission.

    In its current state, the situation on the Internet is more or less like the days when cars did not require a license plate, as well as to comply with strict security requirements, to get on the public roads system. This is why we need DPI to inspect the car and more-or-less control the vehicle and its driver. It requires a lot of cops and resources, and it is very imperfect.

    IMO, Network Admission Control (NAC) + Trusted Computing Architecture (TCA) (the driver license) + Client-based packets classification (the license plate) will become the norm one day; sorry for that. As it is the case with cars, expect to lose anonymity. Also expect to lose control over installed software and data.