Deep Packet Inspection as a Service

Hay David, HUJI, School of Computer Science and Engineering, Computer Science


Middleboxes play a major role in Software Defined Networks (SDN) as forwarding compressed packets is not enough to meet operators demands in terms of security, QoS/QoE provisioning and load balancing. In current systems, Deep Packet Inspection (DPI) is a common task in many middleboxes and the most resource-consuming one.

Today, the traffic is usually routed through a chain of middleboxes before reaching its destination. The traffic is scanned over and over again by middleboxes with a DPI component. Even consolidated middlebox solutions perform DPI separately from scratch.


There is a need to offer a middlebox hardware as a services outside the network to consolidate multiple middleboxes and thus optimize network efficiency and reduce operating costs.  

Our Innovation

This technology extracts the DPI engine from the different middleboxes and provides it as a service for various middleboxes in the network. This service is provided by deploying one or more service instances around the network, all controlled by a logically-centralized DPI Controller. Thus, a packet in such network would go through a single DPI service instance and then visit middleboxes according to its policy chain


  • Superior throughput and reduced memory footprint
  • Resource sharing as the hardware used for DPI is decoupled from the specific middlebox
  • Robustness and security due to avoiding concentrating the traffic in a single location
  • Single DPI scan per packet e.g. decompression or decryption is inspected only once for each packet


Figure 1 Examples of the chain middleboxes (a.k.a. policy chains with and withough DPI as a service)



Each packet that requires a DPI by any of the middleboxes on its policy chain is forwarded to the DPI service, where it is inspected only once. Then, the inspection results (namely, the patterns that were matched) are communicated to the corresponding middleboxes, either on the same packet (e.g., using NSH) or on a different packet.

The proposed framework relies heavily on virtualization and therefore includes both a virtual DPI service, which is instantiated across the network, and a DPI controller, whose role is to orchestrate the different DPI service instances. Making DPI a service has implications not only for the architecture and the system design of a middlebox that uses DPI, but also for the algorithmic aspects of the DPI engine (which is implemented by the virtual DPI service) itself. Specifically, the researchers present one such tailor-made algorithm that benefits from the flexibility of a virtual environment.


Figure 2 DPI as a Service, system architecture.  The DPI controller abstracts the DPI process to other network elements and controls DPI service instances across the network. Packets flow through the network as dictated by policy chains.


  • Deploying DPI as a service is a catalyzer for innovation in the middlebox domain
  • Deep Packet Inspection as a Service will enhance network performance and flexibility, efficiency and robustness in SDN systems. 

Patent Status

Granted US 10,541,970

Contact for more information:

Anna Pellivert
Contact ME: