TECHNIQUES FOR DYNAMIC UPDATING AND LOADING OF CUSTOM APPLICATION DETECTORS
First Claim
1. A method for detecting network-based applications, the method comprising:
- analyzing network traffic sent to or received from a network application to identify one or more data points associated with the network traffic that are characteristic of the network-based application;
receiving, at least a first computer system in a set of computer systems, information describing the identified one or more data points;
associating, with one or more processors associated with the at least a first computer system in the set of computer systems, the information describing the identified one or more data points with the network-based application;
storing, with the one or more processors associated with the at least a first computer system in the set of computer systems, information about the network-based application, the information describing the identified one or more data points, and information associating the information describing the identified one or more data points and the network-based application in a database;
generating, with one or more processors associated with at least a second computer system in the set of computer systems, a set of rules in response to accessing the database that configure an application detection engine to identify the network-based application from network traffic, each rule in the set of rules specifying at least one of the one or more identified data points and one or more conditions when data in the network traffic associated with the at least one of the one or more identified data points satisfies the rule; and
communicating the set of rules to an application detection device, wherein at least application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules.
7 Assignments
0 Petitions
Accused Products
Abstract
In various embodiments, a data-driven model is provided for an application detection engine for the detection and identification of network-based applications. In one embodiment, information can be input into an application detection database. The information may include a hostname, ports, transport protocol (TCP/UDP), higher layer protocol (SOCKS, HTTP, SMTP, FTP, etc), or the like. The information may be associated with a given application. The information may be used to create rule sets or custom program logic used by one or more various application detection engines for determining whether network traffic has been initiated by a given application. The information may be dynamically loaded and updated at the application detection engine.
46 Citations
24 Claims
-
1. A method for detecting network-based applications, the method comprising:
-
analyzing network traffic sent to or received from a network application to identify one or more data points associated with the network traffic that are characteristic of the network-based application; receiving, at least a first computer system in a set of computer systems, information describing the identified one or more data points; associating, with one or more processors associated with the at least a first computer system in the set of computer systems, the information describing the identified one or more data points with the network-based application; storing, with the one or more processors associated with the at least a first computer system in the set of computer systems, information about the network-based application, the information describing the identified one or more data points, and information associating the information describing the identified one or more data points and the network-based application in a database; generating, with one or more processors associated with at least a second computer system in the set of computer systems, a set of rules in response to accessing the database that configure an application detection engine to identify the network-based application from network traffic, each rule in the set of rules specifying at least one of the one or more identified data points and one or more conditions when data in the network traffic associated with the at least one of the one or more identified data points satisfies the rule; and communicating the set of rules to an application detection device, wherein at least application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer-readable storage medium storing code executable by a processor of a computer system for detecting network-based applications, the computer-readable storage medium comprising:
-
code for receiving information describing one or more data points, the one or more data points identified in response to an analysis of network traffic sent to or received from a network application to identify a set of data points associated with the network traffic that are characteristic of the network-based application; code for associating the information describing the identified one or more data points with the network-based application; code for storing information about the network-based application, the information describing the identified one or more data points, and information associating the information describing the identified one or more data points and the network-based application in a database; code for generating a set of rules in response to accessing the database that configure an application detection engine to identify the network-based application from network traffic, each rule in the set of rules specifying at least one of the one or more identified data points and one or more conditions when data in the network traffic associated with the at least one of the one or more identified data points satisfies the rule; and code for communicating the set of rules to an application detection device, wherein at least application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A system for detecting network-based applications, the system comprising:
-
a database configured to store information about a network-based application; a first set of one or more computer systems configured to; receive information describing the one or more data points, the one or more data points determined in response to an analysis of network traffic sent to or received from the network application to identify a set of data points associated with the network traffic that are characteristic of the network-based application, associate the information describing the identified one or more data points with the network-based application, and store the information about the network-based application, the information describing the identified one or more data points, and information associating the information describing the identified one or more data points and the network-based application in the database; and a second set of one or more computer systems configured to; generate a set of rules in response to accessing the database that configure an application detection engine to identify the network-based application from network traffic, each rule in the set of rules specifying at least one of the one or more identified data points and one or more conditions when data in the network traffic associated with the at least one of the one or more identified data points satisfies the rule, and communicate the set of rules to an application detection device, wherein at least application detection functionality of the application detection device is dynamically updated to support detection of the network-based application based on the communicated set of rules.
-
Specification