Deep content inspection

Deep content inspection (DCI) is a form of network filtering that examines an entire file or MIME object as it passes an inspection point, searching for viruses, spam, data loss, key words or other content level criteria.

New generation of Network Content Security devices such as Unified Threat Management or Next Generation Firewalls (Garner RAS Core Research Note G00174908) use DPI to prevent attacks from a small percentage of viruses and worms; the signatures of these malware fit within the payload of a DPI's inspection scope.

However, the detection and prevention of a new generation of malware such as Conficker and Stuxnet is only possible through the exhaustive analysis provided by DCI.

To do so, FPGAs, or Field Programmable Gate Arrays, Network Processors, or even Graphics Processing Units (GPUs)[4] are programmed to be hardwired with these signatures and, as a result, traffic that passes through such circuitry is quickly matched.

These graduated to what is now known as secure web gateways, proxy-based inspections retrieve and scans object, script, and images.

2006 saw the release of the open-source, cross-platform antivirus software ClamAV provided support for caching proxies, Squid and NetCache.

Since complete files or ‘objects’ were passed for scanning, proxy-based anti-virus solutions are considered the first generation of network content inspection.

In order to understand the communication session's intent —in its entirety—, a Deep Content Inspection System must scan both the handshake and payload.

This third generation approach of deep content inspection was developed within the defence and intelligence community, first appearing in guard products such as SyBard,[5] and later by Wedge Networks Inc.. Key-implementation highlights of this Company's approach can be deduced from their patent USPTO# 7,630,379[6] The main differentiators of deep content inspection are: Deep content inspection is content-focused instead of analyzing packets or classifying traffic based on application types such as in Next Generation Firewalls.

Example inspection levels: Because of the availability of the complete objects of that payload to a Deep Content Inspection system, some of the services/inspection examples can include: DCI is currently being adopted by enterprises, service providers and governments as a reaction to increasingly complex internet traffic with the benefits of understanding complete file types and their intent.

[7] This type of inspection deals with real time protocols that only continue to increase in complexity and size.

Dealing with the amount of traffic and information and then applying services requires very high speed look ups to be able to be effective.

Sample encapsulation of application data from UDP to a Link protocol frame