GINTATE

Abstract

Deep packet inspection (DPI) is a basic monitoring technology, which realizes network traffic control based on application payload. The technology is used to prevent threats (e.g., intrusion detection systems, firewalls) and extract information (e.g., content filtering systems). Moreover, transport layer security (TLS) monitoring is required because of the increasing use of the TLS protocol, particularly by hypertext transfer protocol secure (HTTPS). TLS monitoring is different from TCP monitoring in two aspects. First, monitoring systems cannot inspect the content in TLS communication, which is encrypted. Second, TLS communication is a session unit composed of one or more TCP connections. In enterprise networks, dedicated TLS proxies are deployed to perform TLS monitoring. However, the proxies cannot be used when monitored devices are unable to use a custom certificate. Additionally, these networks contain problems of scale and complexity that affect the monitoring. Therefore, the DPI processing using another method requires high-speed processing and various protocol analyses across TCP connections in TLS monitoring. However, it is difficult to realize both simultaneously. We propose GINTATE, which decrypts TLS communication using shared keys and monitors the results. GINTATE is a scalable architecture that uses distributed computing and considers relational sessions across multiple TCP connections in TLS communication. Additionally, GINTATE achieves DPI processing by adding an extensible analysis module. By comparing GINTATE against other systems, we show that it can perform DPI processing by managing relational sessions via distributed computing and that it is scalable.