Visible to the public GINTATE: Scalable and Extensible Deep Packet Inspection System for Encrypted Network Traffic: Session Resumption in Transport Layer Security Communication Considered Harmful to DPI

TitleGINTATE: Scalable and Extensible Deep Packet Inspection System for Encrypted Network Traffic: Session Resumption in Transport Layer Security Communication Considered Harmful to DPI
Publication TypeConference Paper
Year of Publication2017
AuthorsMiura, Ryosuke, Takano, Yuuki, Miwa, Shinsuke, Inoue, Tomoya
Conference NameProceedings of the Eighth International Symposium on Information and Communication Technology
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-5328-1
Keywordsdeep packet inspection, network monitoring, pubcrawl, resilience, Resiliency, Scalability
AbstractDeep packet inspection (DPI) is a basic monitoring technology, which realizes network traffic control based on application payload. The technology is used to prevent threats (e.g., intrusion detection systems, firewalls) and extract information (e.g., content filtering systems). Moreover, transport layer security (TLS) monitoring is required because of the increasing use of the TLS protocol, particularly by hypertext transfer protocol secure (HTTPS). TLS monitoring is different from TCP monitoring in two aspects. First, monitoring systems cannot inspect the content in TLS communication, which is encrypted. Second, TLS communication is a session unit composed of one or more TCP connections. In enterprise networks, dedicated TLS proxies are deployed to perform TLS monitoring. However, the proxies cannot be used when monitored devices are unable to use a custom certificate. Additionally, these networks contain problems of scale and complexity that affect the monitoring. Therefore, the DPI processing using another method requires high-speed processing and various protocol analyses across TCP connections in TLS monitoring. However, it is difficult to realize both simultaneously. We propose GINTATE, which decrypts TLS communication using shared keys and monitors the results. GINTATE is a scalable architecture that uses distributed computing and considers relational sessions across multiple TCP connections in TLS communication. Additionally, GINTATE achieves DPI processing by adding an extensible analysis module. By comparing GINTATE against other systems, we show that it can perform DPI processing by managing relational sessions via distributed computing and that it is scalable.
URLhttp://doi.acm.org/10.1145/3155133.3155152
DOI10.1145/3155133.3155152
Citation Keymiura_gintate:_2017