Adaptive Network Traffic Classification Using Historical Context
First Claim
1. A computer-implemented method, comprising:
- a first computer system receiving first data over a network, wherein the first data is received from one or more packets from each of a plurality of connections;
the first computer system classifying the first data using one or more classification rules to produced classified data;
the first computer system determining if the classified data conforms to a protocol specification;
if the classified data does not conform to the protocol specification, the first computer system modifying the one or more classification rules such that later data with identifying characteristics similar to the first data are not classified in the same manner.
6 Assignments
0 Petitions
Accused Products
Abstract
Adaptive network traffic classification using historical context. Network traffic may be monitored and classified by considering several attributes using packet filters, regular expressions, context-free grammars, rule sets, and/or protocol dissectors, among other means and by applying a variety of techniques such as signature matching and statistical analysis. Unlike static systems, the classification decisions may be reexamined from time to time or after subsequent processing determines that the traffic does not conform to the protocol specification corresponding to the classification decision. Historical context may be used to adjust the classification strategy for similar or related traffic.
-
Citations
10 Claims
-
1. A computer-implemented method, comprising:
-
a first computer system receiving first data over a network, wherein the first data is received from one or more packets from each of a plurality of connections; the first computer system classifying the first data using one or more classification rules to produced classified data; the first computer system determining if the classified data conforms to a protocol specification; if the classified data does not conform to the protocol specification, the first computer system modifying the one or more classification rules such that later data with identifying characteristics similar to the first data are not classified in the same manner. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A memory medium comprising program instructions, wherein the program instructions are executable to:
-
classify first data received over a network using one or more classification rules to produced classified data, wherein the first data is received from one or more packets from each of a plurality of connections; determine if the classified data conforms to a protocol specification; if the classified data does not conform to the protocol specification, modify modifying the one or more classification rules such that later data with identifying characteristics similar to the first data are not classified in the same manner. - View Dependent Claims (7, 8, 9, 10)
-
Specification