Pattern matching

The increasing volume of network traffic in modern high-speed networks comes with increasing an number and diversity of threats. In addition, attacks are becoming more and more sophisticated and it is more and more difficult to detect them. It is no longer enough to use detection based on L3 or L4 header fields, as many applications use dynamic TCP/UDP ports and attackers use non-standard TCP/UDP ports. If you want to see what’s really going on, you need to look inside. The technique known as deep packet inspection (DPI) serves exactly  this purpose. It looks at L7 application data and analyses the contents of internet (HTTP protocol), email (SMTP, POP, IMAP), DNS and other forms of communication.



Pattern-Matching-(1).png

There is a crucial difference between DPI and classification based on extracted header fields. Classification works with values of header fields that are always located in positions relative to the beginning of the packet that can be determined fairly easily. On the other hand, DPI needs to inspect the whole packet, including its payload. An example is the class of HTTP traffic that is identified by its text header, not by a TCP/UDP port it has assigned. If you use the TCP/UDP port number for identification of HTTP traffic, you will lose all of the HTTP traffic passing through non-standard TCP/UDP ports.

The input for DPI is typically a set of regular expressions describing a class of traffic, which makes the whole thing much more complex. The issue is so serious that today’s software-based appliances deploying DPI do not scale above 10Gbps. The solution to this computation-intensive task arises from the parallelism provided by FPGA technology. FPGA is highly suitable for implementation of DPI engines that scale over 100Gbps throughputs. As a result, implementation on an FPGA chip saves an immense amount of CPU time and electricity, and makes it possible to achieve DPI performance that is unreachable with today’s CPUs.

Explore more Netcope products

Tradecope

Tradecope

Lower the latency of your trading system with Tradecope solution, the first easy-to-use ultra-low...

Netcope Success Stories

NSF-100G2-Picomass-Netcope

NSF-100G2-Picomass-Netcope Network Traffic Monitoring

Picomass uses Netcope Session Filter in the IPS200 DPI solution because NSF is capable of offloading traffic to hardware. This makes real-time DPI on 100G networks possible.

Flowmon Networks

Flowmon Networks Network Traffic Monitoring

Flowmon Networks aims to develop a new generation of NetFlow/IPFIX probes that can monitor and process traffic of 100GE high-speed networks. Because of that, Flowmon Networks needs to find a network card that would be able of handling 100 GE monitoring requirements.

U.S. trading firm deploys Tradecope

U.S. trading firm deploys Tradecope Electronic Stock Trading

For successful trading on electronic exchanges today, it is not enough to come up with the smartest strategy anymore. Learn more about how U.S trading firm deployed FPGA-based Tradecope solution to increase hit rate of the trading strategy.