Transformers in the Wire: Advanced DPI Fingerprinting and AI for Stealth VPN Detection
Luca Deri, Daniele Sartiano
At SharkFest '24, we introduced the fundamentals of open-source deep packet inspection (DPI) using nDPI. Since then, network adversaries and stealth VPN providers have significantly evolved, rendering traditional methods like JA4 insufficient against heavily obfuscated traffic. This 1-hour follow-up session is split into two core sections.First, we explore advanced traffic fingerprinting techniques that surpass current state-of-the-art standards.
- We will demonstrate how to leverage Wireshark to capture, dissect, and label complex traffic streams to drive these new nDPI capabilities.
- We address what happens when fingerprinting fails against highly evasive protocols.
- We will show how Wireshark data feeds into a data pipeline to train Transformer-based AI models to unmask stealth VPN traffic.
- The session concludes with a live demonstration showcasing both advanced DPI extensions and the AI model detecting disguised traffic in real time.