Most DPI solutions are similar to car engines. The car engines need gasoline to run. The gasoline of the DPI solutions means the signatures created by application specific domain knowledge. For example, the virus signatures are made by anti-virus experts. The anti-virus experts may use the analysis tools, disassembler, sandbox software and so on to extract the suitable virus patterns. These patterns must not match clean files. Then the experts selected suitable virus rules according to the capacity of the network appliances. The selected rules are compiled to the binary signature file. Finally the experts upload this file to signature update cloud for distributing to network appliances. The anti-virus solution needs the frequently updated virus signatures.
So the “signature service” can be regarded as two components - “signature” and “service”. The “signature” is made by the expert team with application specific domain knowledge. The “service” is provided by the scalable and efficient signature distributing system.
2. Signature Expert Team
Currently Lionic have six kinds of technologies which need signature support or cloud service support. They are anti-virus, anti-intrusion, anti-webthreat, application identification, device identification and web category filter technologies. Lionic makes the signatures of all the six kinds of technologies by himself.
Of course Lionic has a team who is in charge of researching malicious attacks and the protocols behaviors, collecting malware by exchanging or from underground organizations, extracting signatures, packaging all the signature files, etc.
Our security experts have already built the unified signature database and several auto and semi-auto systems for analysis and extracting signatures in these years. But some jobs still need human intervention. AI (Artificial Intelligence) technologies are already adopted in researching the signatures. The real time AI which detects malicious things in the network appliances is still not practical at this moment. It is because the CPU and memory resources of network appliances are limited and AI (Artificial Intelligence) computing is usually slow and consumes memory very much. Lionic signature expert team makes high quality signature files in clean room.
3. Signature Cloud Service
Many customers ask Lionic about how to update the signature immediately after they understand our DPI solutions. Of course Lionic has built up the global signature update cloud several years ago. Its code name is “SCS” (Signature Cloud Service). Every product adopted the Lionic technologies can subscribe this signature update service. Lionic offers the “signature update agent” which is running inside the network appliance for communicating with the “SCS”. This SCS server and client combination is in charge of license check, user authentication, expiration check, downloading and unpacking the signature file, etc.
The “SCS” (Signature Cloud Service) is maintained actively and keeps running for more than ten years. It also passed the penetration test of a third party security company several years ago. It is quite mature now. Two of our big customers even licensed it and running their SCS instances under their brand names. And then our team took contract jobs for their specific customization about license management.
However, we suggest customers to adopt our global signature update cloud for the most conveniences. Customers usually need to buy SCS maintenance contract if they bought one instance of SCS. It is a huge cost that having a DevOps team operates and monitors many servers, too.
Actually all the signature files of customers are isolated and safe in our global signature update cloud. End users seldom see the system log messages and are hard to know anything about the signature update servers. Currently the servers of SCS are across Asia, Europe, USA and still grow up. Joining the Lionic global signature update cloud is the most economical solution.
Figure 1 - SCS Dashboard Screenshot