Network Traffic Identification and Classification

Allot’s vast expertise in deep packet inspection (DPI) and real-time policy enforcement are translated into a highly effective toolkit for managing bandwidth consumption and service performance on all Allot gateway platforms, including bare metal, virtual, and cloud-native implementations.

DART – Powering Superior DPI

Allot’s Dynamic Actionable Recognition Technology (DART) is embedded in the company’s high-performance Deep Packet Inspection (DPI) platforms.  Integrating Allot’s vast expertise in IP traffic identification and network traffic classification, DART is at the core of the company’s highly effective solutions for managing bandwidth utilization and application performance in any network. DART delivers the granular visibility that enables service providers to optimize and monetize their assets. Similarly, it empowers business network security with the ability to control and secure business-critical applications.

Multiple Analysis Methods

Allot’s DART employs multiple inspection and analytical methods to identify specific applications, sub-applications, and protocols, from simple traffic monitoring to session-level analysis of encrypted protocols. Continuously evolving forms of analysis are used to accurately identify new applications and protocols, including flows that have been deliberately designed to evade detection. The combination of behavioral, statistical, and machine-learning techniques greatly improves recognition capabilities. It reduces unidentified traffic, even at maximum speeds and peak loads.

Application and Protocol Signatures

To deal with numerous Internet and network applications and protocols, a methodical and systematic identification process is employed. Every application’s communication protocol constitutes a unique identifying “fingerprint” or signature.

Thus, signatures are unique identifiers used to recognize different applications or protocols. When a new application or protocol is encountered, it is analyzed, and an appropriate signature is then developed and added to Allot’s Protocol Pack. This Protocol Pack is referred to as a signature library.

Application signatures are checked and updated on a regular basis because they tend to vary as new application updates or protocol revisions occur.

Allot’s DPI leverages its up-to-date signature library to ensure enhanced classification performance that keeps up with ever-changing applications and services.

DART delivers multi-dimensional awareness

  • Applications: Identifies and accurately classifies more applications and protocols than any other solution, enabling any action – analysis, control, optimization – to be taken at the same level of granularity.
  • Users: Identifies the users generating the traffic e.g., a user playing a game on a tablet, a user in a WhatsApp chat on an iPhone, and a user watching YouTube videos on an Android phone.
  • Devices: Identifies the devices being used – dongle, smartphone, tablet – and the device manufacturer. This device awareness powers a myriad of use-cases including tethering traffic identification, new device campaigns, device-aware optimization and more.
  • Access: Provides access-aware visibility that allows the monitoring and control of traffic flows at specific access points in order to maintain network performance. Cell awareness in mobile access and CMTS awareness in cable access are two leading scenarios enabled by DART.
  • Context: Identifies what users are doing in the application, and not just the application being used e.g., users can be watching a video, browsing, or chatting with friends on the same application. Such types of usage may relate to different use cases with different user quality expectations.
  • Video: Provides unique information about OTT video – including Quality of Experience parameters, video attributes such as resolution and format, and specific content details – enabling an in-depth view of video consumption and the overall quality of video delivery.

Clear benefits

  • Granular visibility of all network traffic, including OTT applications
  • Multi-dimensional insight into application, user, device, access, context, video, and more
  • Identification of thousands of applications and sub-applications in all network scenarios
  • Supports QUIC de-obfuscation, which enables application identification of the application (Google QUIC as well as IETF QUIC)
  • VPN support: identification and blocking of VPN traffic
  • Supports TCP fingerprinting to identify popular operating systems: Android, iOS, Windows (available in reports for analytic purposes)

Hitless updates

Hitless updates keep the DART engine inside every Allot platform up-to-date on all awareness dimensions. DART protocol and signature updates are propagated automatically to all platforms without affecting surrounding services and systems.

Encrypted Network Traffic Classification

As applications attempt to evade detection through encryption, or by altering their connection behavior or flow patterns, Allot’s DART powered DPI adapts to changing tactics through a variety of advanced methods.

  • Analysis by Pattern Matching: the search for a sequence of textual characters or binary values within the contents of the packet. String matches may consist of several strings distributed within a packet or several packets.
  • Analysis of Numerical Properties: the investigation of arithmetic and numerical characteristics within a packet, of a packet, or of several packets. Some examples of properties analyzed include payload length, the number of packets sent in response to a specific transaction, and the numerical offset of some fixed string (or byte) value within a packet.
  • Behavioral and Heuristic Analysis: the extraction of statistical parameters of examined packet transactions to analyze the way a protocol acts and operates.
  • Peer Learning System: by analyzing the network behavior and identifying P2P seeders (multiple transmission of files) and popular peers, Allot can identify peer-to-peer traffic even for encrypted protocols.
  • Classification by Port: a basic method to classify a protocol by a known port, as a form of analysis to be used together with other tools. Many applications use either default ports or some selected ports in a specific manner.
  • Classification by IP: a basic method to classify a protocol by a set of known IPs or IP ranges. This classification method is highly accurate and is often used with automatic IP discovery tools.
  • Machine Learning: collects network statistics of to form distinctive application and protocol patterns, including under encryption.

Connect with us

Contact sales

Contact Sales

CONTACT SALES

Discover the best solutions for your organization

You’re all set!

We look forward to meeting with you on Monday, June 28 @ 14:00 EST. The meeting details will be sent to your mail box in a few seconds.

For a deep dive into Allot’s SMB solutions, we’d like to offer you a free copy of our position paper
Security for SMBs: Threats and Opportunities on the Rise.

Magazine Get your e-book »