DPI Signature Overview

1. DPI = Packets Handling + Domain Knowledge + Multi-Pattern Search Engine

A complete DPI (Deep Packet Inspection) solution contains three main components - efficient search mechanism, network packets handling and application specific domain knowledge. For example, the Lionic anti-virus feature is built by the (1) Lionic regular expression solutions, the multi-pattern search engine (2) the network packets handling and the anti-virus software engine are tightly coupled. (3) the anti-virus signature. Both the anti-virus software engine and signature are the application specific domain knowledge part.

Most customers want total solutions. Although Lionic do provide software and hardware regular expression solutions, very few customers choose these multi-pattern search engines only and develop their own network packets handling and applications. That’s why Lionic develop complete DPI solutions of some selected domains in these years.

2. Domain Knowledge generates DPI signatures

Lionic knows that domain knowledge is equally important to search mechanism and network packet handling. Several domains like anti-virus, anti-intrusion are selected when Lionic planned to develop some DPI solutions. It grows up gradually to six domains - anti-virus, anti-intrusion, anti-webthreat, application identification, device identification and web content filtering. Lionic has a dedicated team who is researching these domains and some other potential domains. This research team help software team to improve the software engine and produces signatures.

Most DPI solutions are similar to car engines. The car engines need gasoline to run. The gasoline of the DPI solutions means the signatures created by application specific domain knowledge. For example, the virus signatures are made by anti-virus experts. The anti-virus experts may use the analysis tools, disassembler, sandbox software and so on to extract the suitable virus patterns. These patterns must not match clean files. Then the experts selected suitable virus rules according to the capacity of the network appliances. The selected rules are compiled into the binary signature file. Finally the experts upload this file to signature update cloud for distributing to network appliances. The anti-virus solution needs the frequently updated virus signatures.

3. Signature Service

So the “signature service” can be regarded as two components - “signature” and “service”. The “signature” is made by the expert team with application specific domain knowledge. The “service” is provided by the scalable and efficient signature distributing system.