conferences | speakers | series

Network Traffic Classification for Cybersecurity and Monitoring

home

Network Traffic Classification for Cybersecurity and Monitoring
FOSDEM 2022

Security and monitoring applications need to classify traffic in order to identify applications protocols, misuses, similarities, communications patterns not easily identifiable by hand. nDPI is a library that implements various algorithms for traffic analysis able to detect outliers, anomalies, traffic clusters, behavioural changes efficiently in streaming (i.e. while traffic is flowing). Goal of this presentation is to show how nDPI can be used in real life to inspect network traffic and spot patterns worth to be analysed in detail.

Modern network security and monitoring applications need to analyse traffic efficiently in streaming fashion (i.e. while traffic is flowing). This is in order to detect interesting traffic patterns in realtime without dumping data on a database and performing computationally expensive queries in batches. Many network developers do not have skills for efficiently analyse traffic, and data scientists often do not have skills to understand the complex nature of network traffic. For this reason nDPI, a popular open-source deep packet inspection library, has been enhanced with various algorithms and techniques that dramatically simplify traffic analysis and that should ease the creation of applications able to efficiently spot traffic patterns and anomalies. This talk will introduce some of these algorithms present in nDPI and show how they can be used in real-life at high-speed, contrary to many applications that are inefficient and often based on languages (e.g. Python and R) that are not designed to analyse traffic in streaming at 10 Gbit+ on commodity hardware.

Speakers: Luca Deri