A Scalable Carrier-Grade DPI System Architecture Using Synchronization of Flow Information

In this paper, the concept of deep packet inspection (DPI) is explained, and technical issues in deployment of DPI systems in a backbone network of Internet service provider (ISP) are mainly discussed. First, technologies of content identification using DPI are briefly explained, and types of clustering mechanisms that support a large bandwidth with a number of DPI systems are dealt with in detail. Second, a flow synchronization-based DPI architecture is introduced in order to achieve high scalability in system configuration and identification accuracy without rerouting of data flows. Based on the proposed architecture, flow information synchronization and adaptive traffic control using polling-based bandwidth arbitration and virtual queue synchronization are proposed, so that flows, which are randomly distributed over DPI modules by asymmetric routing, can be identified and controlled accurately. The proposed system architecture is practically manufactured as a 40-Gb/s system with four 10-Gb/s DPI modules, and performances of the proposed mechanisms are proved by practical tests that are executed using real traffic in an ISP backbone network. Finally, the scalability and the flexibility of the proposed mechanisms are reviewed from the viewpoint of enabling technologies of smart networks.

[1]  Maurizio Dusi,et al.  Quantifying the accuracy of the ground truth associated with Internet traffic traces , 2011, Comput. Networks.

[2]  Renata Teixeira,et al.  Early application identification , 2006, CoNEXT '06.

[3]  Niccolo Cascarano,et al.  Optimizing Deep Packet Inspection for High-Speed Traffic Analysis , 2011, Journal of Network and Systems Management.

[4]  Youngseok Lee,et al.  Toward scalable internet traffic measurement and analysis with Hadoop , 2013, CCRV.

[5]  James Won-Ki Hong,et al.  Application‐Level Traffic Monitoring and an Analysis on IP Networks , 2005 .

[6]  Martin Reisslein,et al.  Ethernet PONs: a survey of dynamic bandwidth allocation (DBA) algorithms , 2004, IEEE Communications Magazine.

[7]  Jun-Yong Lee,et al.  A system architecture for high-speed deep packet inspection in signature-based network intrusion prevention , 2007, J. Syst. Archit..

[8]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[9]  Minho Kang,et al.  Traffic Load Distribution-Based Excess Bandwidth Allocation in Time-Division-Multiplexed PONs , 2009, Journal of Lightwave Technology.

[10]  José Luis García-Dorado,et al.  High-Performance Network Traffic Processing Systems Using Commodity Hardware , 2013, Data Traffic Monitoring and Analysis.

[11]  Minho Kang,et al.  Detection of Multicast Video Flooding Attack using the Pattern of Bandwidth Provisioning Efficiency , 2010, IEEE Communications Letters.

[12]  Konstantinos Psounis,et al.  CHOKe - a stateless active queue management scheme for approximating fair bandwidth allocation , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[13]  Gaogang Xie,et al.  Scalable high-performance parallel design for Network Intrusion Detection Systems on many-core processors , 2013, Architectures for Networking and Communications Systems.

[14]  Tsern-Huei Lee,et al.  Using String Matching for Deep Packet Inspection , 2008, Computer.

[15]  John C. S. Lui,et al.  A Simple Model for Analyzing P2P Streaming Protocols , 2007, 2007 IEEE International Conference on Network Protocols.

[16]  Nen-Fu Huang,et al.  A unique-pattern based pre-filtering method for rule matching of network security , 2012, 2012 18th Asia-Pacific Conference on Communications (APCC).

[17]  Poompat Saengudomlert,et al.  Efficient Queue Based Dynamic Bandwidth Allocation Scheme for Ethernet PONs , 2007, IEEE GLOBECOM 2007 - IEEE Global Telecommunications Conference.

[18]  Robert Doverspike,et al.  Traffic types and growth in backbone networks , 2011, 2011 Optical Fiber Communication Conference and Exposition and the National Fiber Optic Engineers Conference.

[19]  Chunming Qiao,et al.  Labeled optical burst switching for IP-over-WDM integration , 2000, IEEE Commun. Mag..

[20]  Chadi Assi,et al.  Statistical bandwidth multiplexing in Ethernet passive optical networks , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[21]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[22]  Carsten Lund,et al.  Learn more, sample less: control of volume and variance in network measurement , 2005, IEEE Transactions on Information Theory.

[23]  Sriram Ramabhadran,et al.  Cloud control with distributed rate limiting , 2007, SIGCOMM 2007.

[24]  Wenbin Zheng,et al.  Intrusion prevention system design , 2004 .

[25]  Michalis Faloutsos,et al.  Transport layer identification of P2P traffic , 2004, IMC '04.

[26]  Milton L. Mueller,et al.  Deep packet inspection and bandwidth management: Battles over BitTorrent in Canada and the United States , 2012 .

[27]  Roberto de Marca,et al.  Society news - Candidates announced for board of governors , 2004, IEEE Commun. Mag..

[28]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[29]  Víctor López,et al.  A FPGA-based scalable architecture for URL legal filtering in 100GbE networks , 2012, 2012 International Conference on Reconfigurable Computing and FPGAs.

[30]  Stefano Giordano,et al.  On Multi-gigabit Packet Capturing with Multi-core Commodity Hardware , 2012, PAM.

[31]  Luca Deri,et al.  High speed network traffic analysis with commodity multi-core systems , 2010, IMC '10.

[32]  Xenofontas A. Dimitropoulos,et al.  Indexing million of packets per second using GPUs , 2013, Internet Measurement Conference.

[33]  Jason Lee,et al.  The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware , 2007, RAID.

[34]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM 2006.

[35]  Alberto Leon-Garcia,et al.  A Distributed Ethernet Traffic Shaping system , 2010, 2010 17th IEEE Workshop on Local & Metropolitan Area Networks (LANMAN).

[36]  Marco Mellia,et al.  Inferring undesirable behavior from P2P traffic analysis , 2009, SIGMETRICS '09.

[37]  Luca Deri,et al.  10 Gbit / s Line Rate Packet Processing Using Commodity Hardware : Survey and new Proposals , 2011 .

[38]  Fulvio Risso,et al.  Lightweight, Payload-Based Traffic Classification: An Experimental Evaluation , 2008, 2008 IEEE International Conference on Communications.

[39]  Luigi Rizzo,et al.  netmap: A Novel Framework for Fast Packet I/O , 2012, USENIX ATC.