3rd International Conference on Intelligent Computational Systems (ICICS'2013) January 26-27, 2013 Hong Kong (China)

The Development of Deep Packet Inspection Platform and Its Applications

Yoonjae. Lee, Junseok. Oh, Joon Kyung. Lee, Dongwon. Kang, and Bong Gyou. Lee

conditions of its development. In Chapter 3, we show the DPI Abstract— Due to the development of the mobile network platform that is developed in Korea. Lastly, the conclusion and and the wide use of mobile devices, mobile traffic has contribution will be presented in Chapter 4. significantly increased. Most advanced countries including Korea have developed various technologies to reduce heavy mobile traffic. This research has developed and utilized the DPI (Deep Packet Inspection) platform that has been considered as a solution for enhancing the mobile traffic flow. In this paper, the hardware and software components of the platform are described with its four utilization fields.

Keywords—Deep Packet Inspection, Mobile Traffic, High-speed Internet Traffic Control and Analysis Platform (HITCAP), Data Traffic Control

Fig. 1 Mobile Data Traffic Profile (Europe, Wi-Fi) I. INTRODUCTION (Source: Sandvine, 2012) ECENTLY, mobile traffic has increased due to the R advance of mobile telecommunication technologies and II. RELATED WORKS the advent of the various connected devices. According to the research of Sandvine company, mobile data has the peak traffic A. Deep Packet Inspection around 2 PM in Europe (See Fig. 1) [1]. The Internet service The DPI technology was first introduced for network providers (ISP) and the mobile carriers spend their network security. As the representative security technology prior to the management budgets by decreasing the traffic in congestion introduction of DPI, Stateful Packet Inspection (SPI) time [2]. Therefore, the mobile carriers need to adopt the technology was widely used, which is the technology for Network Intelligence Technology for efficiently managing and detecting abnormal packets by inspecting the packet headers distributing the mobile traffic that constantly occurs in the (Layer 2-4) [6]. However, SPI is not able to detect new mobile network under limited spectrum resource environment network attacks, for example, NIDS Evasion and DDoS. [3, 4]. Accordingly, DPI was introduced and it became a new In order to enhance the mobile traffic situation in Korea, the technology to inspect the Payload, which means the contents of Electronics and Telecommunications Research Institute (ETRI) packets, by inspecting the entire layer of packets (Layer 2-7) has developed the Deep Packet Inspection (DPI) platform as (See Fig. 2) [7]. These days, the network enterprises embed the part of the development of Network Intelligence Technology technology into their equipment. The DPI provides operators [5]. This research describes the DPI platform which is with visibility into the data traffic needed to enable new service developed in Korea in respect to software and hardware. In models and pricing plans and to support new architectures like Chapter 2, we reviewed the concept of DPI and the current software-defined networks (SDNs) [8]. B. The DPI Development Markets Yoon Jae. Lee is a graduate student in the graduate school of information, According to Infonetics Research, the DPI market is Yonsei University, Seoul, 120749 Korea (e-mail: [email protected] ). Junseok. Oh is a research professor in communication policy research center, expected to grow at a 30.4% compound annual growth rate Yonsei University, Seoul, 120749 Korea (e-mail: [email protected] ). (CAGR) from 2011 to 2016, driven by the increased use of DPI Joon Kyung. Lee is a principal member of engineering staff, Electronics and in wireless networks [9]. The representative DPI equipment Telecommunications Research Institute, Daejeon, 305350 Korea (e-mail: [email protected]). developers are Sandvine, Cisco, Arbor Networks and Procera. Dongwon. Kang is a principal member of engineering staff, Electronics and They support Internet traffic management and the real-time Telecommunications Research Institute, Daejeon, 305350 Korea (e-mail: processing of the massive traffic by DPI standalone equipment. [email protected]). Bong Gyou. Lee is a professor in the graduate school of information, Yonsei University, Seoul, 120749 Korea (phone: +82-2-2123-6524; fax: +82-2-2123-8654; e-mail: [email protected] ).

5 3rd International Conference on Intelligent Computational Systems (ICICS'2013) January 26-27, 2013 Hong Kong (China)

processing for 1 million subscribers [11]. The ETRI developed the DPI platform which is the High-speed Internet Traffic Control and Analysis Platform (HITCAP) with small enterprises and universities in Korea. HITCAP is the platform including the hardware and software. It supports the 40Gbps processing capacity, service virtualization, and individual policy controls [12].

Fig. 2 The range for inspecting packets (Source: ETRI, 2012)

The DPI equipment of Sandvine, the leader in the DPI market, has unique DPI signature analysis functions (See Fig.3) [8, 9]. The PTS 24500 of Sandvine provides 80Gbps process capacity per box by the Policy Traffic Switch. With this function, it also provides network reporting, management of Fig. 3. The DPI market share congestion, the creation of private services and management of (Source: Infonetics Research, 2012) malicious traffic [10]. The SCE 800 developed by Cisco is the router embedding DPI modules and it provides 30Gbps process capacity, multi-clustering supporting 10Gbps and concurrent

TABLE I THE SPECIFICATION OF DPI EQUIPMENT

Sandvine Cisco Arbor networks Procera ETRI Product Name PPTS 24500 SCE8000 E100 PL-20000 HITCAP-10 HITCAP-40 Type STANDALNOE STANDALNOE STANDALNOE STANDLONE STANDLONE STANDLONE Height 4U 5U 5U 14U/15U 2U 2U 8 ports*10GE 2 or 4 ports*10GE 4 ports*10GE 36 ports*10GE 3 ports*10GE(2ea) Interface 4 ports*10GE(4ea) 8 ports*1GE 8~16 ports*10GE 12 ports*10GE 2 ports*100GE 2 ports*10GE(2ea) Blades / Sash 40Gbps / 40Gbps / 60Gbps 15Gbps / 30Gbps 10Gbps / 20Gbps 320Gbps 20Gbps / 80Gbps Performance 160Gbps(Estimated) The number of 5M 1M 10M 2M 5M( Estimated ) Subscribers - Policy - Service virtualization (Multitasking) - The management technology based - eFlowC (Easy development environment) - Recognition of - Routing based on and control system on DRDL - Controlling individual policies Features various applications DPI technology for centralized - Supporting - High-performance DPI pattern recognition - 3G network billing traffic 100GbE - Flexible Add-on (Multi-core with interface co-processor) (Source: ETRI, 2012)

the Smart DPP functions, respectively. When the packets are III. THE SPECIFICATION OF HITCAP sent to the system, the packets are inspected by the Intelligent DPI of HITCAP-HX in L2 to L4 layers. If the packets are not A. Hardware Specifications recognized as the detecting targets, they are forwarded to the HITCAP consists of hardware and software platforms. First, output terminal without inspecting at the next step (Smart DPP). the hardware platform includes Network Interface Cards (NIC), If the packets are the detecting targets, the entire packets which are HITCAP-HX and HITCAP-TG, and Platform including L7 payload are inspected through the Smart DPP of Management Server (PMS). HITCAP-TG. The entire system performance is increased by Fig. 4 shows the functions of the HITCAP hardware. the unique inspection method. HITCAP-HX and HITCAP-TG perform the Intelligent DPI and

6 3rd International Conference on Intelligent Computational Systems (ICICS'2013) January 26-27, 2013 Hong Kong (China)

IV. CONCLUSIONS AND FUTURE WORKS Due to the dramatic increase of data traffic in mobile networks, lots of service providers are adopting the DPI equipment for securing the visibility of the data traffic. The DPI technology has become one of the key network intelligent technologies in order to manage the data traffic. Recently, Sandvine and Cisco, which are major network equipment enterprises, have released DPI equipment. The ETRI has also developed the DPI platform, i.e., HITCAP, as the representative Korean DPI platform. HITCAP includes five significant functions that are not included in existing DPI Fig. 4 The functions of HITCAP hardware (Source: ETRI, 2012) solutions developed by other enterprises. The features of HITCAP are service virtualization for multitasking functions, HITCAP PMS provides the monitoring function and the eFlowC, which is the easy development environment, setting function for the HITCAP hardware and its operating controlling individual policies, high-performance DPI pattern system. It also provides the function for multi NIC recognition, and flexible add-on, which has multi-core with management. co-processor. The DPI platform that is developed in this research is expected to apply to the following mobile network B. Software Specifications areas: 1) Additional management services for subscribers based The HITCAP software platform consists of the Service on personalized policies; 2) The charge per packets and service Plug-In Virtualization Adapter (SPVA) and the Service Plug-In traffic control; 3) Real-time accurate monitoring of massive Dispatch Panel (SPDP). Fig. 5 shows the components of the traffic and controlling of the service traffic; and 4) Real-time HITCAP software. The SPVA provides various application integrated control of the network traffic for providing a clean services based on user requests, applying the change of Internet environment. application services according to the rapidly changing The developed DPI platform in this research will contribute requirements, and dynamically adopting (multitasking) the to improving the mobile network environment by controlling various services. The SPDP is the web management system the data traffic on wired and wireless networks. This is one of that is responsible for the application service lists and the input the important goals of telecommunication enterprises and the of commands. The network traffic supervisor is able to control platform is expected to have a significant role in improving the the applications through the SPDS and the order of applications networks. The Telco specialized services have to be developed is sent to HITCAP via the SPVA [13]. and implemented into the DPI platform in order to commercialize the platform.

Fig. 5 The components of HITCAP software (Source: W.Lee, 2012)

7 3rd International Conference on Intelligent Computational Systems (ICICS'2013) January 26-27, 2013 Hong Kong (China)

ACKNOWLEDGMENT This work is one of the results from the project “Development of Real-time Traffic’s Integrated Control Platform for Clean Internet and Fair Interconnection Environment” that is supported by KCC (No.0991105005).

REFERENCES [1] Sandvine, “Global Internet Phenomena Report”, Sandvine White Paper, 2012. [2] Y.J. Lee, J.S. Oh, and B.G. Lee, “Logical Push Framework for Real-time SNS Processing,” The 4th IEEE International Conference on Computational Aspects of Social Networks, Brazil, Nov. 2012. [3] Infonetics Research, “Service Provider Deep Packet Inspection Products”, Infonetics’ biannual DPI report, 2012. [4] R. Bendrath, “Global technology trends and national regulation: Explaining Variation in the Governance of Deep Packet Inspection,” International Studies Annual Convention, New York, pp.1-32, Mar. 2009. [5] Y.J. Lee, J.S. Oh, J.K. Lee, D.W. Kang, and B.G. Lee, “The Utilization of Deep Packet Inspection for Real-time Massive Traffic Processing,” The conference on Korean Society for Internet Information, Korea, Vol.13, No.2, pp.77-78, Nov. 2012. [6] T. Porter, "The Perils of Deep Packet Inspection," Security Focus, Mar. 2008. [7] S.W. Shin, D.H. Kang, K.Y. Kim, and J.S. Jang, “Analysis of Deep Packet Inspection Technology,” Electronic Communication Trend Analysis, Vol.19, No.3, pp.117-124, Jun.2004. [8] R. Bendrath, “Global technology trends and national regulation: Explaining Variation in the Governance of Deep Packet Inspection,” International Studies Annual Convention, Vol.15 No.18, Feb. 2009. [9] Shira Levine, “Mobile momentum drives DPI market to 30.4% CAGR through 2016,” Infonetics Research, 2012. [10] Sandvine, “Policy Traffic Switch 24000: Platform Datasheet,” Sandvine Data Sheet, Jul. 2012. [11] Cisco, “Cisco SCE 8000 Service Control Engine,” Cisco Data Sheet, 2010. [12] ETRI, “Development of Real-time Traffic‘s Integrated Control Platform for Clean Internet and Fair Interconnection Environment,” Project Report, 2012. [13] W.B. Lee, D.W. Kang, and J.K. Lee, “A Plug-in Node Architecture for Dynamic Traffic Control,” The Fourth International Conference on Emerging Network Intelligence, 2012.

8