Deep packet inspection (DPI) has been extensively investigated in software-defined networking (SDN) as complicated attacks may intractably inject malicious payloads in the packets. Existing proprietary pattern-based or port-based third-party DPI tools can suffer from limitations in efficiently processing a large volume of data traffic. In this paper, a novel OpenFlow-enabled deep packet inspection (OFDPI) approach is proposed based on the SDN paradigm to provide adaptive and efficient packet inspection. First, OFDPI prescribes an early detection at the flow-level granularity by checking the IP addresses of each new flow via OpenFlow protocols. Then, OFDPI allows for deep packet inspection at the packet-level granularity: (i) for unencrypted packets, OFDPI extracts the features of accessible payloads, including tri-gram frequency based on Term Frequency and Inverted Document Frequency (TF–IDF) and linguistic features. These features are concatenated into a sparse matrix representation and are then applied to train a binary classifier with logistic regression rather than matching with specific pattern combinations. In order to balance the detection accuracy and performance bottleneck of the SDN controller, OFDPI introduces an adaptive packet sampling window based on the linear prediction; and (ii) for encrypted packets, OFDPI extracts notable features of packets and then trains a binary classifier with a decision tree, instead of decrypting the encrypted traffic to weaken user privacy. A prototype of OFDPI is implemented on the Ryu SDN controller and the Mininet platform. The performance and the overhead of the proposed solution are assessed using the real-world datasets through experiments. The numerical results indicate that OFDPI can provide a significant improvement in detection accuracy with acceptable overheads.

深度数据包检测 (DPI) 已在软件定义网络 (SDN) 中得到广泛研究，因为复杂的攻击可能会难以处理地在数据包中注入恶意负载。现有的基于专有模式或基于端口的第三方 DPI 工具在有效处理大量数据流量方面可能会受到限制。在本文中，基于 SDN 范式提出了一种新的支持 OpenFlow 的深度数据包检测 (OFDPI) 方法，以提供自适应和高效的数据包检测。首先，OFDPI 通过 OpenFlow 协议检查每个新流的 IP 地址，规定了流级粒度的早期检测。然后，OFDPI 允许在数据包级粒度进行深度数据包检查：（i）对于未加密的数据包，OFDPI 提取可访问有效载荷的特征，包括基于词频和倒排文档频率（TF-IDF）和语言特征的三元频率。这些特征被连接成一个稀疏矩阵表示，然后被应用于训练一个带有逻辑回归的二元分类器，而不是匹配特定的模式组合。为了平衡SDN控制器的检测精度和性能瓶颈，OFDPI引入了基于线性预测的自适应数据包采样窗口；(ii) 对于加密数据包，OFDPI 提取数据包的显着特征，然后用决策树训练二元分类器，而不是解密加密流量以削弱用户隐私。OFDPI 的原型在 Ryu SDN 控制器和 Mininet 平台上实现。所提出的解决方案的性能和开销是通过实验使用真实世界的数据集来评估的。数值结果表明 OFDPI 可以在可接受的开销下显着提高检测精度。