Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book(0 page(s))
 Help

User Protocols

Cubro Service Gateway includes a high-performance traffic analysis core that allows determining the session affiliation of L4 TCP and UDP protocols up to Layer 7. When analyzing traffic, Cubro Service Gateway applies various approaches to form a stable signature:

  • Sample analysis (Pattern analysis).
  • Numerical analysis.
  • Behavioral analysis.
  • Heuristic analysis.
  • Protocol/stateful analysis.

Some signatures define the protocol with 100% accuracy, while others have a probabilistic nature. Thus, when recognizing traffic, false positives and false negatives can occur, which is due to the probabilistic analysis mechanisms for some protocols.

The recognition percentage depends on the nature of the traffic itself, including the presence of asymmetry-when the DPI device receives only part of the traffic: either only incoming sessions or only outgoing ones. The less asymmetry in the analyzed traffic, the higher the recognition percentage. In the absence of asymmetry, the recognized traffic percentage approaches 90%.

Cubro Service Gateway contains two types of signatures:

  • Built-in signatures, which are part of the DPI engine and are updated along with the Cubro Service Gateway software.
  • Dynamic signatures, which are loaded into the core during the operation of Cubro Service Gateway.

Built-in signatures are updated with each new version of Cubro Service Gateway software. The release interval is from 1 to 3 months. If there is a need for kernel updates, releases may occur more frequently, including upon customer request.

Dynamic signatures are loaded from the cloud at dpicloud.cubro.com and are divided into manufacturer-provided signatures and user-defined protocols. In both cases, updates are delivered through the dpicloud.cubro.com infrastructure. The Cubro cloud consolidates dynamic signatures supplied by the manufacturer and protocols defined by users. As a result, Cubro Service Gateway nodes download compiled .bin files for core operation and reference guides to support user-defined protocols in the graphical interface.

The dynamic signature mechanism allows for rapid updates regarding VPN services and other circumvention methods. Some applications cannot be recognized "on the fly," and identifying them requires analyzing accumulated data or additional checks on the cloud infrastructure side. As a result of the work of detectors and AI hosted in the dpicloud.cubro.com cloud, a list of IP addresses and SNI is generated, which is delivered to the DPI as dynamic protocols.

Country-Scaled DPI, by default, does not export user data (ipfix flow, ipfix metadata) to the cloud. Some detectors may be hosted locally on the customer's infrastructure. However, for certain sensitive protocols, it may be necessary to export data to dpicloud.cubro.com for further processing.

The user protocol mechanism allows for defining a new protocol based on the following criteria:

  1. IP
  2. IP + port
  3. CIDR
  4. CIDR + port
  5. AS number
  6. TLS Server Name Indication (SNI)
  7. In the absence of SNI, the Common Name is checked.

For more information on adding user-defined protocols, see Case 6. Custom Protocols / Signatures