Deep Packet Inspection

What Is Deep Packet Inspection?

Deep Packet Inspection, DPI, also known as Complete Packet Inspection or Packet Sniffing, is an extremely advanced packet filtering method that effectively inspects packet contents.

Ordinary packet filtering methods only examine the info in the header of the packet transmitted through the inspection point, such as IP address, port number, etc. DPI, on the other hand, examines and evaluates a wider range of metadata and headers in a packet to search for and clean up non-compliant protocols, viruses, spam, and malicious intrusions, and decides whether the packet passes through or needs to be routed to the next destination based on the relevant criteria.

Overall, DPI has a wide range of applications to enhance network management, user services, and security functions, and can also be used for Internet data mining, eavesdropping, or Internet censorship.

Techniques of Deep Packet Inspection

DPI relies on the following three main techniques to filter packets.

Pattern or Signature Matching

This method enables DPI to scrutinize packet contents and match them against a database of known threats to detect potential dangers. If the DPI consistently updates its database, it can effectively halt malicious traffic. The primary limitation of this approach, however, is that it is only effective against familiar threats and falls short in identifying novel attacks.

Protocol Anomaly

Protocol Anomaly compensates for the shortcomings of the previous technique by employing a "default deny" policy. Under this policy, only data that meets the requirements of the protocol can pass through.

Intrusion Prevention System

IPS technology is utilized to intercept and block malicious packets instantaneously, actively filtering network traffic according to predefined rules. However, the risk of false positives exists, and a cautious policy could help mitigate this issue.

limitations of Deep Packet Inspection

1. DPI may create new vulnerabilities while discovering existing ones. While it is effective in preventing malicious attacks, sometimes DPI can be exploited by these attacks.

2. The use of DPI adds complexity and challenges to operating firewalls and security applications. Also, DPI requires continuous updating and revising of its database, which undoubtedly adds to the administrative burden.

3. DPI reduces the speed and performance of computers because it puts an additional burden on the CPU.