TECHNIQUES FOR DYNAMIC UPDATING AND LOADING OF CUSTOM APPLICATION DETECTORS

US 20100088670A1
Filed: 09/28/2009
Published: 04/08/2010
Est. Priority Date: 10/02/2008
Status: Active Grant

First Claim

Patent Images

1. A method for detecting network-based applications, the method comprising:

analyzing network traffic sent to or received from a network application to identify one or more data points associated with the network traffic that are characteristic of the network-based application;

receiving, at least a first computer system in a set of computer systems, information describing the identified one or more data points;

associating, with one or more processors associated with the at least a first computer system in the set of computer systems, the information describing the identified one or more data points with the network-based application;

storing, with the one or more processors associated with the at least a first computer system in the set of computer systems, information about the network-based application, the information describing the identified one or more data points, and information associating the information describing the identified one or more data points and the network-based application in a database;

generating, with one or more processors associated with at least a second computer system in the set of computer systems, a set of rules in response to accessing the database that configure an application detection engine to identify the network-based application from network traffic, each rule in the set of rules specifying at least one of the one or more identified data points and one or more conditions when data in the network traffic associated with the at least one of the one or more identified data points satisfies the rule; and

communicating the set of rules to an application detection device, wherein at least application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various embodiments, a data-driven model is provided for an application detection engine for the detection and identification of network-based applications. In one embodiment, information can be input into an application detection database. The information may include a hostname, ports, transport protocol (TCP/UDP), higher layer protocol (SOCKS, HTTP, SMTP, FTP, etc), or the like. The information may be associated with a given application. The information may be used to create rule sets or custom program logic used by one or more various application detection engines for determining whether network traffic has been initiated by a given application. The information may be dynamically loaded and updated at the application detection engine.

46 Citations

View as Search Results

24 Claims

1. A method for detecting network-based applications, the method comprising:
- analyzing network traffic sent to or received from a network application to identify one or more data points associated with the network traffic that are characteristic of the network-based application;
  
  receiving, at least a first computer system in a set of computer systems, information describing the identified one or more data points;
  
  associating, with one or more processors associated with the at least a first computer system in the set of computer systems, the information describing the identified one or more data points with the network-based application;
  
  storing, with the one or more processors associated with the at least a first computer system in the set of computer systems, information about the network-based application, the information describing the identified one or more data points, and information associating the information describing the identified one or more data points and the network-based application in a database;
  
  generating, with one or more processors associated with at least a second computer system in the set of computer systems, a set of rules in response to accessing the database that configure an application detection engine to identify the network-based application from network traffic, each rule in the set of rules specifying at least one of the one or more identified data points and one or more conditions when data in the network traffic associated with the at least one of the one or more identified data points satisfies the rule; and
  
  communicating the set of rules to an application detection device, wherein at least application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein analyzing the network traffic sent to or received from the network application comprises identifying one or more of a source address, a destination address, a source port, a destination port, one or more header fields, payload data, or combinations thereof.
  - 3. The method of claim 1 further comprising:
    - receiving, at the at least a first computer system in a set of computer systems, one or more of a filename, a download location, a URL, a hostname, or a domain name associated with the network-based application; and
      
      storing, with the one or more processors associated with the at least a first computer system in the set of computer systems, information associating the one or more of a filename, a download location, a URL, a hostname, or a domain name associated with the network-based application with the network-based application in the database.
  - 4. The method of claim 1 further comprising:
    - packaging, with the one or more processors associated with at least a second computer system in the set of computer systems, the set of rules into a format appropriate for the application detection device.
  - 5. The method of claim 1 further comprising:
    - receiving, at the at least a first computer system in a set of computer systems, information describing logic for determining information using one or more of the identified one or more data points;
      
      associating, with the one or more processors associated with the at least a first computer system in the set of computer systems, the logic with the network-based application; and
      
      storing, with the one or more processors associated with the at least a first computer system in the set of computer systems, the logic and information associating the logic and the network-based application in the database.
  - 6. The method of claim 5 further comprising:
    - generating, with the one or more processors associated with the at least a second computer system in the set of computer systems, program code based on the logic; and
      
      compiling the program code for execution at the application detection device.
  - 7. The method of claim 6 wherein compiling the program code for execution at the application detection device comprises compiling the program code for dynamic loading at the application detection device.
  - 8. The method of claim 6 wherein communicating the set of rules to the application detection device further comprise communicating the compiled program code, wherein at least the application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules and the compiled program code.
  - 9. The method of claim 5 wherein receiving, at the at least a first computer system in a set of computer systems, the information describing the logic comprises receiving logic for maintaining stating information across the network traffic.
  - 10. The method of claim 5 wherein receiving, at the at least a first computer system in a set of computer systems, the information describing the logic comprises receiving logic for determining one or more hash values or checksum from the network traffic.
  - 11. The method of claim 1 wherein the dynamic updated of at least the application detection functionality of the application detection device to support detection of the network-based application based on the communicated set of rules comprises updated during run-time.
  - 12. The method of claim 1 wherein at least one or more user interfaces of the application detection device are dynamically updated to support displaying of information associated with the network-based application based on the communicated set of rules.
  - 13. The method of claim 1 wherein at least reporting functionality of the application detection device is dynamically updated to support reporting of information associated with the network-based application based on the communicated set of rules.

14. A computer-readable storage medium storing code executable by a processor of a computer system for detecting network-based applications, the computer-readable storage medium comprising:
- code for receiving information describing one or more data points, the one or more data points identified in response to an analysis of network traffic sent to or received from a network application to identify a set of data points associated with the network traffic that are characteristic of the network-based application;
  
  code for associating the information describing the identified one or more data points with the network-based application;
  
  code for storing information about the network-based application, the information describing the identified one or more data points, and information associating the information describing the identified one or more data points and the network-based application in a database;
  
  code for generating a set of rules in response to accessing the database that configure an application detection engine to identify the network-based application from network traffic, each rule in the set of rules specifying at least one of the one or more identified data points and one or more conditions when data in the network traffic associated with the at least one of the one or more identified data points satisfies the rule; and
  
  code for communicating the set of rules to an application detection device, wherein at least application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The computer-readable storage medium of claim 14 wherein the code for receiving the one or more data points comprises code for receiving one or more of a source address, a destination address, a source port, a destination port, one or more header fields, payload data, or combinations thereof.
  - 16. The computer-readable storage medium of claim 14 further comprising:
    - code for receiving one or more of a filename, a download location, a URL, a hostname, or a domain name associated with the network-based application; and
      
      code for storing information associating the one or more of a filename, a download location, a URL, a hostname, or a domain name associated with the network-based application with the network-based application in the database.
  - 17. The computer-readable storage medium of claim 14 further comprising:
    - code for packaging the set of rules into a format appropriate for the application detection device.
  - 18. The computer-readable storage medium of claim 14 further comprising:
    - code for receiving information describing logic for determining information using one or more of the identified one or more data points;
      
      code for associating the logic with the network-based application; and
      
      code for storing the logic and information associating the logic and the network-based application in the database.
  - 19. The computer-readable storage medium of claim 18 further comprising:
    - code for generating program code based on the logic; and
      
      code for compiling the program code for execution at the application detection device.
  - 20. The computer-readable storage medium of claim 19 wherein the code for compiling the program code for execution at the application detection device comprises code for compiling the program code for dynamic loading at the application detection device.
  - 21. The computer-readable storage medium of claim 19 wherein the code for communicating the set of rules to the application detection device further comprise code for communicating the compiled program code, wherein at least the application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules and the compiled program code.
  - 22. The computer-readable storage medium of claim 18 wherein the code for receiving the information describing the logic comprises code for receiving logic for maintaining stating information across the network traffic.
  - 23. The computer-readable storage medium of claim 18 wherein the code for receiving the information describing the logic comprises code for receiving logic for determining one or more hash values or checksum from the network traffic.

24. A system for detecting network-based applications, the system comprising:
- a database configured to store information about a network-based application;
  
  a first set of one or more computer systems configured to;
  
  receive information describing the one or more data points, the one or more data points determined in response to an analysis of network traffic sent to or received from the network application to identify a set of data points associated with the network traffic that are characteristic of the network-based application,associate the information describing the identified one or more data points with the network-based application, andstore the information about the network-based application, the information describing the identified one or more data points, and information associating the information describing the identified one or more data points and the network-based application in the database; and
  
  a second set of one or more computer systems configured to;
  
  generate a set of rules in response to accessing the database that configure an application detection engine to identify the network-based application from network traffic, each rule in the set of rules specifying at least one of the one or more identified data points and one or more conditions when data in the network traffic associated with the at least one of the one or more identified data points satisfies the rule, andcommunicate the set of rules to an application detection device, wherein at least application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Actiance, Inc.
Original Assignee
Facetime Communications Incorporated
Inventors
Paster, Steven B.

Granted Patent

US 8,413,111 B2
Time in Patent Office

Days
Field of Search
US Class Current

717/106
CPC Class Codes

H04L 43/022   by sampling

H04L 43/026   using flow identification

H04L 43/04   Processing captured monitor...

H04L 45/745   Address table lookup; Addre...

TECHNIQUES FOR DYNAMIC UPDATING AND LOADING OF CUSTOM APPLICATION DETECTORS

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUES FOR DYNAMIC UPDATING AND LOADING OF CUSTOM APPLICATION DETECTORS

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links