nDPI it is much more than a DPI library used to detect the application protocol. In the past year, nDPI has grown in terms of cybersecurity features used to detect threats and network issues leveraging on the concept of flow risk. Each nDPI-analysed flow has associated a numerical flow risk that in essence is a bitmap with a bit set to 1 whenever a risk has been detected for such flow. The list of (to date) supported flow risks are:
- HTTP suspicious user-agent
- HTTP numeric IP host contacted
- HTTP suspicious URL
- HTTP suspicious protocol header
- TLS connections not carrying HTTPS
(e.g. a VPN over TLS) - Suspicious DGA domain contacted
- Malformed packet
- SSH/SMB obsolete protocol
or application version - TLS suspicious ESNI usage
- Unsafe Protocol used
- Suspicious DNS traffic
- TLS with no SNI
- XSS (Cross Site Scripting)
- SQL Injection
- Arbitrary Code Injection/Execution
- Binary/.exe application transfer (e.g. in HTTP)
- Known protocol on non standard port
- TLS self-signed certificate
- TLS obsolete version
- TLS weak cipher
- TLS certificate expired
- TLS certificate mismatch
- DNS suspicious traffic
- HTTP suspicious content
- Risky ASN
- Risky Domain Name
- Malicious JA3 Fingerprint
- Malicious SHA1 Certificate
- Desktop of File Sharing Session
- TLS Uncommon ALPN
The flow risk bitmap can have zero (no risks), or more bits set, depending on the issues nDPI has found on the flow. For every risk, nDPI associates a severity, and for each severity a score. With “ndpiReader -h” you can display the list of know risks and their associated severity:
nDPI supported risks: Id Risk Severity Score 1 XSS attack Severe 250 2 SQL injection Severe 250 3 RCE injection Severe 250 4 Binary application transfer Severe 250 5 Known protocol on non standard port Low 10 6 Self-signed Certificate Medium 50 7 Obsolete TLS version (< 1.1) Medium 50 8 Weak TLS cipher Medium 50 9 TLS Expired Certificate High 100 10 TLS Certificate Mismatch High 100 11 HTTP Suspicious User-Agent Medium 50 12 HTTP Numeric IP Address Low 10 13 HTTP Suspicious URL High 100 14 HTTP Suspicious Header Medium 50 15 TLS (probably) not carrying HTTPS Low 10 16 Suspicious DGA domain name High 100 17 Malformed packet Low 10 18 SSH Obsolete Client Version/Cipher Medium 50 19 SSH Obsolete Server Version/Cipher Medium 50 20 SMB Insecure Version Medium 50 21 TLS Suspicious ESNI Usage Medium 50 22 Unsafe Protocol Low 10 23 Suspicious DNS traffic Medium 50 24 SNI TLS extension was missing Medium 50 25 HTTP suspicious content Medium 50 26 Risky ASN Medium 50 27 Risky domain name Medium 50 28 Possibly Malicious JA3 Fingerprint Medium 50 29 Possibly Malicious SSL Cert. SHA1 Fingerprint Medium 50 30 Desktop/File Sharing Session Low 10 31 Uncommon TLS ALPN Medium 50
The flow risk score is computed as the sum of the severities for all bits set to one. Example:
TCP 192.168.149.129:43535 <-> 51.83.238.219:80 [proto: 91.252/TLS.AnyDesk][cat: RemoteAccess/12][2942 pkts/175103 bytes <-> 4001 pkts/2618640 bytes][Goodput ratio: 9/92][55.97 sec][bytes ratio: -0.875 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 19/14 7028/7028 153/126][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 60/654 1514/1514 50/618][Risk: ** Known protocol on non standard port **** TLS (probably) not carrying HTTPS **** SNI TLS extension was missing **** Desktop/File Sharing Session **][Risk Score: 80][TLSv1.2][JA3C: 201999283915cc31cee6b15472ef3332][JA3S: 107030a763c7224285717ff1569a17f3][Issuer: CN=AnyNet Root CA, O=philandro Software GmbH, C=DE][Subject: C=DE, O=philandro Software GmbH, CN=AnyNet Relay][Certificate SHA-1: 9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3][Firefox][Validity: 2018-11-18 02:14:23 – 2028-11-15 02:14:23][Cipher: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,7,17,2,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,33,0,0,0,0,29,0,0]
The flow risk score is computed as follows:
| Known protocol on non standard port | 10 |
|---|---|
| TLS (probably) not carrying HTTPS | 10 |
| SNI TLS extension was missing | 50 |
| Desktop/File Sharing Session | 10 |
| Flow Score Total | 80 |
The score value is a numerical value that represents how risky is a flow: the higher is the score, the more “risky” is a flow. Using this technique you can immediately spot flows that are more suspicious and that require more attention. This without using multivariate traffic analysis or complex algorithms. The flow score can be used a a good labelling technique for machine-learning based traffic analysis tools.
Enjoy !