Evolving Threats: Why Deep Packet Inspection Is Critical for Intrusion Prevention

Imagine what would happen if the police in a major city regularly published their plans to stop crime and catch thieves, including where all patrols are every hour. Do you think crime would go up? Do you think successful robberies would increase?

Now think about network intrusion prevention. Some of the most widely used intrusion prevention system (IPS) signatures are freely available online for anyone to download. I’m willing to bet that most cybercriminals have studied those rules and are constantly inventing new ways to beat them.

The fact that nearly all of these rules are based on pattern-matching — a method of identifying known threats and exploits — only continues to increase an attacker’s chance of success in breaching your network and getting to your business-critical data.

Issues With Old Network Protection Systems

Commonly, IPSs have focused on preventing specific exploits or known attack patterns. Using these pattern-based signatures, when an IPS found something it knew to be a threat, it could stop it. But developing a signature for each and every known exploit (as opposed to focusing on protection at the vulnerability level) was and is an onerous task, and using so many signatures can severely degrade the performance of your network security devices. Sacrificing network performance for protection was not an attractive trade-off.

There is a long-standing debate on the effectiveness of pattern-matching signatures. The simple truth is that the nature of threats has evolved over time. There has been a steady rise in unknown threats, such as zero-day attacks and mutated threats, compounded by advanced evasion techniques that obfuscate a strike. By definition, we do not yet have a pattern-based signature for the threats we’ve never seen before. So it begs the question: How do we stop this growing number of unknown threats?

Using Deep Packet Inspection for Intrusion Prevention

Pattern-matching signatures, while helpful in some instances, are simply no match for the tidal wave of evolving threats most organizations are up against today. But if you were able to inspect the content inside the data packets traveling along your network as opposed to just looking for known patterns, you would be in a much better position to protect yourself.

That’s where deep packet inspection (DPI) can help. DPI is software technology that provides the ability to inspect any network packet to its very end.

The advantages of doing so are clear: Full parsing of the content layers of the packet (layers six and seven) is the only reliable way to detect some of the most dangerous attacks, which are often mutated or obfuscated using embedded content, special encoding schemes, compression or nonstandard syntax.

By inspecting and recognizing the entire application payload of a packet, DPI enables intelligent security threat detection with heuristics and behavioral-based rule sets that is simply not possible with pattern-matching technology.

Protocol Analysis Module Stops Tomorrow’s Threats Today

Since 1999, IBM’s intrusion prevention products have been using deep packet inspection to protect networks. The core IPS protection engine is the IBM Protocol Analysis Module (PAM), developed by IBM X-Force.

PAM offers full DPI through layer seven and applies heuristics and behavioral analysis to its findings to identify both known and unknown threats, even within encrypted traffic. It is highly tuned to block suspicious content while letting legitimate traffic pass through.

Additionally, our next-generation IPS offers throughput speeds of up to 25 Gbps, so you don’t need to sacrifice performance for protection. So that malware hiding inside an image inside the PDF file you received attached to an encrypted email? Yeah, we can detect and block that.

If you’d like to learn more about the IBM Protocol Analysis Module, attend the March 24 webinar “Breaking the Pattern: The Importance of Deep Packet Inspection for Intrusion Prevention.” Not only will you learn more about PAM and how it works, but our IBM X-Force team will discuss specific examples of how PAM’s unique approach has protected against vulnerabilities months and even years before exploits were disclosed.

Share this Article:
Jordan Carlson

Portfolio Marketing Manager, IBM

Jordan leads portfolio marketing for IBM Security’s network protection products. With more than 15 years of experience in the technology industry, Jordan has global experience across both products and services in strategy, product management, lead generation and collaborating with business partners. Prior to joining IBM, Jordan was an Account Director with an interactive agency, helping Fortune 500 companies develop their first Internet marketing strategies. He started his career leading marketing, public relations and fundraising for a national non-profit organization. Jordan holds an MBA from the University of Notre Dame, a BA from Miami University (Ohio) and is a member of Phi Beta Kappa.