Intrusion detection/prevention systems still base their core engines on the same technology that was used a decade ago, based on byte pattern matching and Deep Packet Inspection (DPI), which analyses the data payload of network packets. Albeit effective in detecting most of known attacks, pattern-based DPI suffers from the lack of context information.

This analysis does not take into consideration the underlying application protocol, hence it is difficult to identify unknown threats that might exploit a specific field of the protocol, perhaps limited to a mere 4 bytes, to carry the attack on. Apart from some specific detection solutions developed for the HTTP protocol, in the form of Web Application Firewalls, some generic attempts to provide more knowledge about the underlying protocol have been made by employing pre-processors that allow specific checks on certain protocol fields (Snort, Suricata). However, these remains isolated cases, which can improve the detection of unknown attack payload vectors for a known vulnerability, but fail to enhance the detection of unknown threats.

Today, SecurityMatters introduces Deep Protocol Behavior Inspection (DPBI), a breakthrough approach to intrusion detection. DPBI takes the detection of cyber attacks to a complete new level, making it possible to identify new and unknown threats (such as 0-day and targeted attacks) as soon as they take place, no matter of their level of sophistication or obfuscation. DPBI exploits the knowledge of the underlying application protocol to perform the analysis. On the top of this, the true power of DPBI comes from the signature-less analysis.

This unique technological combination boosts the detection of unknown threats. By exploiting the knowledge of the protocol specs, our network monitoring detection system SilentDefense can observe the typical content of each protocol field, and apply the best analysis based on that content. Thus, the signature-less detection engine devises a tailored analysis for each protocol field. For instance, a length field, which contains only integer values, is processed in a different way than one containing text strings. By dropping the pattern matching-based analysis, SilentDefense is able to detect new and unknown that do not use any previously known attack vector.

A typical example is provided by the exploitation of a buffer overflow. A buffer overflow, as the name suggests, takes place when a larger amount of data than expected is copied into a buffer. This vulnerability can lead to code execution within the victim. Regular protocol messages will be always limited to a certain length (or they would have triggered the vulnerability). Thus, SilentDefense builds a specific detection model for the length field with the observed values. Later on, when the attacker injects some malicious payload, she will have to exceed the observed regular length values in order to trigger the vulnerability and execute her code.

SilentDefense will detect this attack attempt no matter which attack payload is chosen, because the root cause of the vulnerability is the length value, and not the attack payload. On the other hand, "old" pattern-based intrusion detection/prevention systems focus on the attack payload. The attacker can modify the content without altering the attack functionality, for instance by encoding it. Hence making the pattern-based detection system blind.