utoni / nDPId

Tiny nDPI based deep packet inspection daemons / toolkit.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

DFI over DPI?

subhajit-cdot opened this issue · comments

Hi ,
I assuming you are still actively associated in the ndpi enhancement. Do you think there is a need for DFI (deep flow inspection) along with the existing DPI (where the dissectors mostly checks packet payload patterns or payload length.) to detect application accurately?
I was reading below paper and wants to discuss with you before posting it to ndpi repo issue.
https://reader.elsevier.com/reader/sd/pii/S187770581730276X?token=74B2C8BC7E1E9DEFCC8A8992234ED823EF2A7B8F4BAEA2C547AC049837EEE74362C1D8737D0C18B3CE68F82CA659FDB1&originRegion=eu-west-1&originCreation=20220103053518

In my understanding, if ndpi fails to get info from sni or http etc parsing i.e. upto L5, it goes for pattern matching based on some reverse engineering methods learned from pcap files which may produce false positives in case encrypted traffic. But the paper shows that dissectors made of flow based model gives more accuracy than packet payload based matching. Any comment on this?

Thanks

commented

Sorry for my late answer. The paper looks pretty interesting. AFAICT nDPI can do already some statistical data analysis, but I am not (yet) into that part of nDPI. So I can not tell you if that is used for DFI. FYI: src/lib/ndpi_analyze.c