APPLICATION DETECTION ARCHITECTURE AND TECHNIQUES
First Claim
1. A method for detecting network-based applications based on network traffic generated by the network-based applications, the method comprising:
- receiving network traffic at a computer system;
analyzing, in a first phase associated with the network traffic, the network traffic with one or more single inspection point engines provided by a processor associated with the computer system to determine whether a single inspection point of the network traffic satisfies at least one of the single inspection point engines;
analyzing, in a second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with one or more multiple inspection point engines provided by the processor associated with the computer system to determine whether a plurality of inspection points of the network traffic satisfy at least one of the multiple inspection point engines;
analyzing, in a third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with one or more custom inspection point engines provided by the processor associated with the computer system to determine whether the network traffic satisfies at least one of the custom inspection point engines;
identifying, with the processor associated with the computer system, a network-based application that generated the network traffic based on results information obtained from at least one of the first phase, the second phase, or the third phase;
determining, with the processor associated with the computer system, a policy that is applicable to the network-based application; and
performing an action defined by the policy in regard to the network-based application.
8 Assignments
0 Petitions
Accused Products
Abstract
An application detection architecture and related techniques are provided for detecting, identifying, and managing network-based applications. In various embodiments, a combined layered approach to application detection and various application-detection techniques provide for quick assessments that move from simplest to complex for rapid detection of unauthorized or misbehaving applications in communication with one or more computer networks. This layering, in some embodiments, further provides scalability and speed for determining and implementing policies that may be applicable to detected network-based application, users, groups, or devices associated with unauthorized network-based applications sending or receiving data via a computer network.
-
Citations
21 Claims
-
1. A method for detecting network-based applications based on network traffic generated by the network-based applications, the method comprising:
-
receiving network traffic at a computer system; analyzing, in a first phase associated with the network traffic, the network traffic with one or more single inspection point engines provided by a processor associated with the computer system to determine whether a single inspection point of the network traffic satisfies at least one of the single inspection point engines; analyzing, in a second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with one or more multiple inspection point engines provided by the processor associated with the computer system to determine whether a plurality of inspection points of the network traffic satisfy at least one of the multiple inspection point engines; analyzing, in a third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with one or more custom inspection point engines provided by the processor associated with the computer system to determine whether the network traffic satisfies at least one of the custom inspection point engines; identifying, with the processor associated with the computer system, a network-based application that generated the network traffic based on results information obtained from at least one of the first phase, the second phase, or the third phase; determining, with the processor associated with the computer system, a policy that is applicable to the network-based application; and performing an action defined by the policy in regard to the network-based application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer-readable storage medium storing a computer program product executable by one or more computer systems for detecting network-based applications based on network traffic generated by the network-based applications, the computer-readable storage medium comprising:
-
code for receiving network traffic; code for analyzing, in a first phase associated with the network traffic, the network traffic with one or more single inspection point engines to determine whether a single inspection point of the network traffic satisfies at least one of the single inspection point engines; code for analyzing, in a second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with one or more multiple inspection point engines to determine whether a plurality of inspection points of the network traffic satisfy at least one of the multiple inspection point engines; code for analyzing, in a third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with one or more custom inspection point engines to determine whether the network traffic satisfies at least one of the custom inspection point engines; code for identifying a network-based application that generated the network traffic based on results information obtained from at least one of the first phase, the second phase, or the third phase; code for determining a policy that is applicable to the network-based application; and code for performing an action defined by the policy in regard to the network-based application. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A network appliance for detecting network-based applications based on network traffic generated by the network-based applications, the network appliance comprising:
-
a database storing information for configuring one or more single inspection point engines, one or more multiple inspection point engines, and one or more custom inspection point engines; a communications interface configured to be coupled to a communications network and receive network traffic; a processor configured to; configure the one or more single inspection point engines and analyze, in a first phase associated with the network traffic, the network traffic with the one or more single inspection point engines to determine whether a single inspection point of the network traffic satisfies at least one of the single inspection point engines; configure the one or more multiple inspection point engines and analyze, in a second phase associated with the network traffic, the network traffic and results information associated with the one or more single inspection point engines with the one or more multiple inspection point engines to determine whether a plurality of inspection points of the network traffic satisfy at least one of the multiple inspection point engines; configure the one or more custom inspection point engines and analyze, in a third phase associated with the network traffic, the network traffic, results information associated with the one or more single inspection point engines, and results information associated with the one or more multiple inspection point engines with the one or more custom inspection point engines to determine whether the network traffic satisfies at least one of the custom inspection point engines; identify a network-based application that generated the network traffic based on results information obtained from at least one of the first phase, the second phase, or the third phase; determine a policy that is applicable to the network-based application; and perform an action defined by the policy in regard to the network-based application.
-
Specification