The legality of deep packet inspection

Deep packet inspection is a technology which enables the examination of the content of information packets being sent over the Internet. The Internet was originally set up using “end-to-end connectivity” as part of its design, allowing nodes of the network to send packets to all other nodes of the network, without requiring intermediate network elements to maintain status information about the transmission. In this way, the Internet was created as a “dumb” network, with “intelligent” devices (such as personal computers) at the end or “last mile” of the network. The dumb network does not interfere with an application's operation, nor is it sensitive to the needs of an application, and as such it treats all information sent over it as (more or less) equal. Yet, deep packet inspection allows the examination of packets at places on the network which are not endpoints, In practice, this permits entities such as Internet service providers (ISPs) or governments to observe the content of the information being sent, and perhaps even manipulate it. Indeed, the existence and implementation of deep packet inspection may challenge profoundly the egalitarian and open character of the Internet. This paper will firstly elaborate on what deep packet inspection is and how it works from a technological perspective, before going on to examine how it is being used in practice by governments and corporations. Legal problems have already been created by the use of deep packet inspection, which involve fundamental rights (especially of Internet users), such as freedom of expression and privacy, as well as more economic concerns, such as competition and copyright. These issues will be considered, and an assessment of the conformity of the use of deep packet inspection with law will be made. There will be a concentration on the use of deep packet inspection in European and North American jurisdictions, where it has already provoked debate, particularly in the context of discussions on net neutrality. This paper will also incorporate a more fundamental assessment of the values that are desirable for the Internet to respect and exhibit (such as openness, equality and neutrality), before concluding with the formulation of a legal and regulatory response to the use of this technology, in accordance with these values

VIQID: a no-reference bit stream-based visual quality impairment detector

In order to ensure adequate quality towards the end users at all time, video service providers are getting more interested in monitoring their video streams. Objective video quality metrics provide a means of measuring (audio)visual quality in an automated manner. Unfortunately, most of the current existing metrics cannot be used for real-time monitoring due to their dependencies on the original video sequence. In this paper we present a new objective video quality metric which classifies packet loss as visible or invisible based on information extracted solely from the captured encoded H.264/AVC video bit stream. Our results show that the visibility of packet loss can be predicted with a high accuracy, without the need for deep packet inspection. This enables service providers to monitor quality in real-time

Deep pockets, packets, and harbours

Deep Packet Inspection (DPI) is a set of methodologies used for the analysis of data flow over the Internet. It is the intention of this paper to describe technical details of this issue and to show that by using DPI technologies it is possible to understand the content of Transmission Control Protocol/Internet Protocol communications. This communications can carry public available content, private users information, legitimate copyrighted works, as well as infringing copyrighted works. Legislation in many jurisdictions regarding Internet service providers’ liability, or more generally the liability of communication intermediaries, usually contains “safe harbour” provisions. The World Intellectual Property Organization Copyright Treaty of 1996 has a short but significant provision excluding liability for suppliers of physical facilities. The provision is aimed at communication to the public and the facilitation of physical means. Its extensive interpretation to cases of contributory or vicarious liability, in absence of specific national implementation, can prove problematic. Two of the most relevant legislative interventions in the field, the Digital Millennium Copyright Act and the European Directive on Electronic Commerce, regulate extensively the field of intermediary liability. This paper looks at the relationship between existing packet inspection technologies, especially the ‘deep version,’ and the international and national legal and regulatory interventions connected with intellectual property protection and with the correlated liabilities ‘exemptions. In analyzing the referred two main statutes, we will take a comparative look at similar interventions in Australia and Canada that can offer some interesting elements of reflection

Traffic Profiling for Mobile Video Streaming

This paper describes a novel system that provides key parameters of HTTP Adaptive Streaming (HAS) sessions to the lower layers of the protocol stack. A non-intrusive traffic profiling solution is proposed that observes packet flows at the transmit queue of base stations, edge-routers, or gateways. By analyzing IP flows in real time, the presented scheme identifies different phases of an HAS session and estimates important application-layer parameters, such as play-back buffer state and video encoding rate. The introduced estimators only use IP-layer information, do not require standardization and work even with traffic that is encrypted via Transport Layer Security (TLS). Experimental results for a popular video streaming service clearly verify the high accuracy of the proposed solution. Traffic profiling, thus, provides a valuable alternative to cross-layer signaling and Deep Packet Inspection (DPI) in order to perform efficient network optimization for video streaming.Comment: 7 pages, 11 figures. Accepted for publication in the proceedings of IEEE ICC'1

High performance deep packet inspection on multi-core platform

Deep packet inspection (DPI) provides the ability to perform quality of service (QoS) and Intrusion Detection on network packets. But since the explosive growth of Internet, performance and scalability issues have been raised due to the gap between network and end-system speeds. This article describles how a desirable DPI system with multi-gigabits throughput and good scalability should be like by exploiting parallelism on network interface card, network stack and user applications. Connection-based parallelism, affinity-based scheduling and lock-free data structure are the main technologies introduced to alleviate the performance and scalability issues. A common DPI application L7-Filter is used as an example to illustrate the applicaiton level parallelism

Exploring a Service-Based Normal Behaviour Profiling System for Botnet Detection

Effective detection of botnet traffic becomes difficult as the attackers use encrypted payload and dynamically changing port numbers (protocols) to bypass signature based detection and deep packet inspection. In this paper, we build a normal profiling-based botnet detection system using three unsupervised learning algorithms on service-based flow-based data, including self-organizing map, local outlier, and k-NN outlier factors. Evaluations on publicly available botnet data sets show that the proposed system could reach up to 91% detection rate with a false alarm rate of 5%

High-Performance Packet Processing Engines Using Set-Associative Memory Architectures

The emergence of new optical transmission technologies has led to ultra-high Giga bits per second (Gbps) link speeds. In addition, the switch from 32-bit long IPv4 addresses to the 128-bit long IPv6 addresses is currently progressing. Both factors make it hard for new Internet routers and firewalls to keep up with wire-speed packet-processing. By packet-processing we mean three applications: packet forwarding, packet classification and deep packet inspection. In packet forwarding (PF), the router has to match the incoming packet's IP address against the forwarding table. It then directs each packet to its next hop toward its final destination. A packet classification (PC) engine examines a packet header by matching it against a database of rules, or filters, to obtain the best matching rule. Rules are associated with either an ``action'' (e.g., firewall) or a ``flow ID'' (e.g., quality of service or QoS). The last application is deep packet inspection (DPI) where the firewall has to inspect the actual packet payload for malware or network attacks. In this case, the payload is scanned against a database of rules, where each rule is either a plain text string or a regular expression. In this thesis, we introduce a family of hardware solutions that combine the above requirements. These solutions rely on a set-associative memory architecture that is called CA-RAM (Content Addressable-Random Access Memory). CA-RAM is a hardware implementation of hash tables with the property that each bucket of a hash table can be searched in one memory cycle. However, the classic hashing downsides have to be dealt with, such as collisions that lead to overflow and worst-case memory access time. The two standard solutions to the overflow problem are either to use some predefined probing (e.g., linear or quadratic) or to use multiple hash functions. We present new hash schemes that extend both aforementioned solutions to tackle the overflow problem efficiently. We show by experimenting with real IP lookup tables, synthetic packet classification rule sets and real DPI databases that our schemes outperform other previously proposed schemes

A NOVEL PACKET CLASSIFICATION TECHNIQUE FOR VOIP CANDIDATURE IN DEEP PACKET INSPECTION

Voice over Internet telephony (VoIP) is extremely pervasive today. Its cheap availability and ease of setup has made the serial harassers, criminals and even terrorists to use it for illegal activities. This makes VoIP subject to surveillance by Law Enforcement Agencies (LEAs). It has been observed that governments, in the solemn interest of national security, request companies like Skype, Google and others to hand over content of communications between suspected criminals. Seeing a business opportunity, the companies charge exorbitantly for retrieval thus costing the exchequer. Unlike any mechanisms of lawful interception which allow for an asymmetric and unsustainable monopoly, this paper proposes hidden placement of hardware network analyzers to perform deep packet inspection for  network traffic payloads and intercepting them before they reach the voice service provider by performing packet classification in constant time using a Frame Check Sequence based classification technique as opposed to existing layer-by-layer techniques for determining packets as candidates for Deep Packet Inspection