DPI Solutions in Practice: Benchmark and Comparison

By: Tommaso Rescio, Thomas Favale, Francesca Soro, Idilio Drago and Marco Mellia

Having a clear insight on the protocols carryingtraffic is crucial for network security. Deep Packet Inspection (DPI) has been a key technique to provide visibility into traffic. DPI has proven effective in various scenarios, and indeed several open source DPI solutions are maintained by the community. Yet, these solutions provide different classifications, and it is hard to establish a common ground truth. Independent works approaching the question of the quality of DPI are already aged and rely on limited datasets. Here, we test if open source DPI solutions can provide useful information in practical scenarios, supporting security applications.

We provide an evaluation of the performance of four open-source DPI solutions, namely nDPI, Libprotoident, Tstat andZeek. We use datasets covering various traffic scenarios, including operational networks, IoT scenarios and malware. As no ground truth is available, we study the consistency of classification across the solutions, investigating root-causes of conflicts. Important for on-line security applications, we check whether DPI solutions provide reliable classification with a limited number of packets per flow. All in all, we confirm that DPI solutions stillperform satisfactorily for well-known protocols. They however struggle with peer2peer traffic and security scenarios (e.g., with Malware traffic). All tested solutions reach a final classificationafter observing few packets with payload, showing adequacy foron-line security systems.

The source code will be available here.

Here a brief reference to all the involved datasets:

Macrotrace Flows Packets
TCP UDP
Valid Invalid Valid Original Filtered
User 440 k 241 k 1.1 M 48 M 4.6 M
Media & Games 11 k 4 k 16 k 81 M 2 M
Malware 392 k 466 k 979 k 33 M 26 M
IoT 39 k 79 k 50 k 5 M 2 M