Dubai, 20 November 29 November 2012
Download 1.36 Mb.
|
- Navigate this page:
- II.1.3 Generic rule format
- II.2.1 Example “Security check – Block SIP messages with specific content types and derive SIP device address”
- II.2.2 Example “Detection of Malware”
- II.2.3 Example “Detection of specific video format”
- II.2.4 Example “Detection of File Transfer in general”
II.1 IntroductionII.1.1 PurposeAccompanying material for discussion of DPI use cases and requirements. II.1.2 Specification level of rulesPacket inspection may be considered as a packet policing function (see Appendix VII). The particular “inspection function” may be thus formulated as policy rule. The specification depth may differ in various respects: • High-level • Low-level rules (using informal specification language, like a prose language) • Low-level rules (using formal specification grammar) II.1.3 Generic rule formatIn order to use a common description format, the examples here following below generic rule format, comprised of • a rule header (name, identifier, precedence, etc.) and • a rule body (for conditions, actions). 
Figure II.1 – Generic rule format It may be noted again that the specification of explicit bindings between actions and conditions is out of scope of this Recommendation.
II.2 Example policy rules for Application-dependent, Flow-dependent DPI – Identification order “1st Application, 2nd Flow”II.2.1 Example “Security check – Block SIP messages with specific content types and derive SIP device address”Table II.2.1 – Example
II.2.2 Example “Detection of Malware”Here: network-based detection of malicious software (‘malware’), which is typically distributed via FTP and HTTP (or SMTP), in contrary to host-based malware detection. Assumption: a pattern matching technique is sufficient for detecting particular malware. The characteristic patterns of malwares are registered beforehand as signatures, and it detects malwares by comparing these patterns with byte code of a malware. Pattern matching technique is effective for existing malwares whose signature has been created. Table II.2.2 – Example
II.2.3 Example “Detection of specific video format”Here: H.264 as example. Rule may be further refined for checking specific subformats. Table II.2.3 – Example
II.2.4 Example “Detection of File Transfer in general”Here: FTP/TCP-based file transfer, thus an example of an IP application with two (or >2) "flow components", one control flow and "0 to many (parallel)" data flows (separate TCP connections for individual file transfers). The assumption here: the overall flow level conditions are given by just the 2-tuple of IP connection endpoint addresses (of FTP client and FTP server). Table II.2.4 – Example
That’s an example of stateful DPI, abstracted here to just two states for control traffic detection and file traffic detection. The initial state (S1) belongs to the “flow independent” identification category (FI) and subsequent state S2 is then acting in “flow dependent” identification category (FD) mode. Directory: wp-content -> uploads -> 2012 2012 -> The Case Against the nypd’s Quota-Driven ‘Broken Windows’ Policing What Is It? 2012 -> Aa and na members Dying from Tobacco 2012 -> [Baby Crying] 01: 04 [Ching 2012 -> Unit Name / Nom de l’unité uic / ciu dates 2012 -> What We Owe Jehovah’s Witnesses 2012 -> Oceans Challenge Badge 2012 -> Canadian cycling olympians 2012 -> Greg landry, june olkowski and tom lysiak 2012 -> William goldman 2012 -> Does translocation and restocking confer any benefit to the European eel population? A review Download 1.36 Mb. Share with your friends:
| ||||||||||||||||||||||||||