Mobile Internet DPI and Network Visibility Analysis Platform

The Mobile Internet DPI (Deep Packet Inspection) and Network Visualization Analysis Platform is deployed at the core network nodes of mobile operators. It is designed for monitoring and managing network traffic in various core networks, including 4G and 5G, primarily serving telecommunications operators and relevant regulatory bodies, ensuring compliance with industry standards and performance evaluation requirements.

The Mobile Internet DPI and Network Visualization Analysis Platform consists of several modules, including the signaling plane analysis module, user plane analysis module, sample restoration module, sample scanning engine, traffic management engine, and analytics module. It supports the detection of anomalies such as malicious program propagation, traffic anomalies, and network behavior analysis, generating event logs based on detected incidents. It also enables the capture and restoration of samples for further analysis, facilitating the identification and management of related events.

This system is deployed at the core network nodes of operators' mobile Internet infrastructure, supporting the monitoring and management of network traffic in 4G, 5G, and other core network environments. It primarily serves telecommunications operators and regulatory bodies, ensuring compliance with international industry standards.

Since certain user data, such as from N3 (S1-U/) interfaces, lacks user identification or location information, the platform retrieves user data from other interfaces (e.g., N4, N11, S11, S5-C) to correlate and enrich this data.

The Mobile Internet DPI and Network Visualization Analysis Platform is compatible with both traditional x86 servers and alternative architecture servers, including Kunpeng, Feiteng, and Haiguang, offering robust cross-platform compatibility. The platform delivers leading performance and functionality and has earned high recognition within the telecommunications industry.

Protocol Recognition and Event Analysis

• Supports the analysis of Internet, IoT, Vehicle-to-Everything (V2X), and Industrial IoT (IIoT) communication protocols.
• Extracts detailed information from packets, such as device types, manufacturers, and hardware/software versions, for asset identification.
• Utilizes an analytics engine to detect and log incidents such as compromised hosts, harmful programs, and traffic anomalies, and restores malicious samples for further analysis when necessary.

Traffic Management and Incident Handling

• Supports policy-based management of traffic, enabling the definition and enforcement of rules for protocols such as TCP, IP addresses, domain names, URLs, phone numbers, user identifiers (SUPI/IMSI), and mobile device identifiers (PEI/IMEI).
• Provides traffic control capabilities, including blocking or redirecting traffic based on identified malicious patterns, with the option to implement blacklist-based blocking for unwanted traffic.

High Performance and Accurate Detection

• Features high integration and low energy consumption, powered by an efficient data collection and analysis engine (UCPP) that incorporates technologies like zero-copy, lock-free queues, and large pages, significantly enhancing traffic processing performance. The platform can process up to 90 Gbps on a 1U device.
• The detection accuracy for malicious program propagation and abnormal traffic events is over 95%, with a network behavior anomaly detection success rate of at least 85%. The platform can handle a blacklist capacity of up to 4 million entries. The success rate for blocking based on URLs, IPs, domains, and phone numbers is over 95%, with real-world precision and recall rates exceeding 98%.

Comprehensive Traffic and Communication Relationship Discovery

• Supports link-based discovery and association, as well as parsing of proprietary protocols.
• Includes a built-in traffic relationship model for Internet communications, enabling the correlation of VoLTE, VoNR, CSFB, 2/3G CS domain call records, and traffic from IM apps like Skype, WeChat, and QQ. This enhances the identification of communication patterns and behavior analysis among different entities.

Preprocessing

• Supports protocol analysis for signaling plane traffic, including HTTP2, PFCP, GTPv2C, and others.
• Supports user plane GTP-U protocol analysis.
• Supports IoT protocol analysis for MQTT, COAP, and other IoT standards.
• Supports IPv6 protocol analysis.
• Extracts key data such as user identifiers, location information, five-tuple data, URLs, and hostnames for further processing.

Traffic Behavior Analysis

• Supports detection of malicious program behaviors based on sample files, including but not limited to SIS/SISX/EXE/JAR/APK/CAB/RAR/ZIP/IPA/COD/ALX/PRC/ELF formats.
• Analyzes traffic for abnormal behaviors and incidents.
• Supports rule-based detection of suspicious websites and URLs.
• Provides identification and analysis of mobile terminal types.

Sample Restoration

• Supports restoration of files using various transfer protocols, such as HTTP, FTP, and EMAIL, with supported file formats including SIS/SISX/EXE/JAR/APK/CAB/RAR/ZIP/IPA/COD/ALX/PRC/ELF.
• Enables multi-dimensional matching of restored sample file attributes, including file size, format, and hash values.
• Detects sensitive keywords and phrases within files.

Traffic Management and Incident Handling

• Supports blacklist-based management for malicious code propagation, enabling blocking or redirection of traffic accordingly.
• Enables blocking of abnormal traffic from compromised devices (e.g., infected smartphones or PCs) and propagation of harmful content via URLs or other identifiers.
• Supports multi-dimensional traffic management, including by IP address ranges, domain names, URLs, device characteristics, and phone number ranges, allowing for precise control over network traffic.

Feature Database Management

• Includes a traffic analytics feature database.
• Supports a database for identifying and analyzing harmful program behavior.
• Allows for configuration and upgrade of the feature database through an API.