An Adaptive Application Recognition Engine for a Growing Number of Applications and Protocols

Nio is powered by CUB4, a software-based protocol recognition engine, not only capable of recognizing a wide range of applications, services, and protocols but also designed to cope with an ever evolving and expanding Internet application ecosystem.

Nio is integrated with SIGMA, a telemetry-based service that collects information about new protocols and threats, enabling the timely discovery of new applications and facilitating the rapid updating of user sites.

Niometrics Architecture

CUB4: Best-of-breed Application Recognition

The CUB4 protocol recognition engine emerged out of over five years of research into addressing the weaknesses of legacy application recognition strategies.
The key feature of CUB4 is its adaptability. With an extensible software-centric strategy that enables fast updates as new protocols and risks emerge, CUB4 accelerates the deployment time for new protocol feature detectors.

Instead of relying on general-purpose content inspection technology, the CUB4 engine was designed from the ground up to satisfy today’s complex protocol recognition needs, and to provide the flexibility needed to cope with an ever-changing protocol ecosystem. This includes the challenges of accurately identifying evasive applications relying on encryption and obfuscation, as well as the complexities of Web 2.0 applications and protocols that use HTTP as their transport layer.

The core processing components of CUB4 have been designed to efficiently cope with protocol recognition workloads in pure software, dispensing the need for less flexible ASIC, FPGA, or network processor acceleration. The core recognition logic utilizes an array of content and statistical analysis techniques that are essential for recognizing today’s traffic, while providing extension hooks for additional feature receptors to be developed as new protocol families emerge.

The CUB4 engine currently detects more than 5,500 protocols, services and applications, a 5- to 10-fold improvement over competing technology. With excellent, fine-grained detection performance, the engine transparently and effectively looks out for policy violations and potential threats without imposing the implementation of heavy-handed blocking policies.
In addition, the CUB4 engine provides an open API, with IPFIX-compliant flow export, customizable rulesets, and flexible scripting in a familiar Linux based development environment.

SIGMA: The Niometrics Protocol Discovery Service

SIGMA is a telemetry-based service that actively monitors potential new protocols and threats from deployed Nio system agents. Optional communication to SIGMA includes high-level statistics, samples of unidentified traffic, and samples of traffic that is flagged as potentially misclassified. This enables the early recognition of new protocols as well as timely improvements to existing signatures to maintain high accuracy.

Using advanced machine learning technology to mine through the telemetry readings to refine existing application signatures and generate new ones. This allows Nio to provide faster updates, and improve detection rates for our customers, especially as the application ecosystem expands and becomes more complex.

As a result, we have invested heavily in building up the necessary back-end infrastructure to enable the timely discovery of new applications and to rapidly update our customer sites with the necessary detectors.