Deep Packet Inspection vs. Metadata Analysis of NDR solutions

Today, most Network Detection and Response solutions rely on traffic mirroring and deep packet inspection (DPI). Traffic mirroring is typically deployed on a single core switch to provide a copy of the network traffic to a sensor which uses DPI to thoroughly analyse the payload. While this approach provides detailed analysis, it requires large amounts of processing power and is blind when it comes to encrypted network traffic. Metadata analysis has been specifically developed to overcome these limitations. By utilising metadata for analysis, network communications can be observed at any collection point and be enriched by information providing insights about encrypted communication.

Network Detection and Response (NDR) solutions have become crucial to reliably monitor and protect network operations. However, as network traffic becomes encrypted and data volumes continue to increase, most traditional NDR solutions are reaching their limits. This begs the question: What detection technologies should organisations utilise to ensure maximum security of their systems?

This article will shed light on the concept of Deep Packet Inspection (DPI) and Metadata Analysis. We will compare both detection technologies and examine how modern Network Detection and Response (NDR) solutions can effectively protect IT/OT networks from advanced cyber threats.

What is Deep Packet Inspection (DPI), and how does it work?

DPI is a way of network traffic monitoring used to inspect network packets flowing across a specific connection point or switch. In DPI, the whole traffic is typically mirrored by a core switch to a DPI sensor. The DPI sensor then examins both the header and data section of the packet. If the data section is not encrypted, DPI data are rich in information and allow for robust analysis on the monitored connection points. Traditional NDR solutions rely on DPI-based technologies, which are quite popular to this day. However, in the face of rapidly expanding attack surfaces and evolving IT environments, the limitations of DPI become increasingly prevalent.

Why Is DPI not enough to detect Advanced Cyberattacks?

Organisations are increasingly using encryption to protect their network traffic and online interactions. Although encryption brings enormous benefits to online privacy and cybersecurity, it also provides a good opportunity for cybercriminals to hide in the dark when launching devastating cyberattacks. As DPI technology was not built for the analysis of encrypted traffic, it has become blind to the inspection of encrypted packet payloads. This is a significant shortfall for DPI since most modern cyberattacks, such as APT, ransomware, and lateral movement, heavily utilise encryption in their attack routine to receive attacks instructions from remote Command and Control Servers (C&C) scattered across the cyberspace. In addition to absent encryption capabilities, DPI requires large amounts of processing power and time in order to thoroughly inspect the data section of packets. Consequently, DPI cannot inspect all network packets in data-heavy networks, making it an unfeasible solution for high-bandwidth networks.

The new approach: Metadata Analysis

Metadata analysis has been developed to overcome the limitations of DPI. By utilising metadata for network analysis, security teams can monitor all network communications passing through any physical, virtualised or cloud networks without inspecting the entire data section of each packet. Consequently, Metadata analysis is unaffected by encryption and can deal with ever-increasing network traffic. In order to provide security teams with real-time intelligence of all network traffic, Metadata analysis captures vast arrays of attributes about network communications, applications, and actors (e.g. user logins). For instance, for every session passing through the network, the source/destination IP address, session length, protocol used (TCP, UDP), and the type of services used are recorded. Metadata can capture many other key attributes, which effectively help detect and prevent advanced cyberattacks:

  • Host and server IP address, port number, geo-location information
  • DNS and DHCP information mapping devices to IP addresses
  • Web pages accesses along with the URL and header information
  • Users to systems mapping using DC log data
  • Encrypted web pages – encryption type, cypher and hash, client/server FQDN
  • Different objects hashes – such as JavaScript and images

How can Security Teams benefit from a Metadata based NDR?

Implementing a Network Detection and Response (NDR) solution based on Metadata analysis provides security teams with reliable insights on what happens inside their network – no matter whether the traffic is encrypted or not. Metadata analysis supplemented by system- and application-logs allow security teams to detect vulnerabilities and improve internal visibility into blind spots, such as shadow IT devices, which are considered a common entry point exploited by cybercriminals. This holistic visibility is not possible with DPI-based NDR solutions. In addition, light-weight metadata allow for efficient log data storage of historical records, facilitating forensics investigations. Data-heavy DPI analysis makes long-term storage of historical data practically infeasible or very expensive. Finally, the metadata approach allows security teams to figure out the source of all traffic passing through corporate networks and monitor suspicious activity on all devices connected to networks, such as IoT devices. This makes complete visibility into corporate networks possible.

David Gugelmann


David Gugelmann

Co-CEO & Founder



Published on:


Book a demonstration of ExeonTrace

Schedule a demo and learn how ExeonTrace can make your business more resilient to cyber attacks.