Classification Techniques for Encrypted Network Traffic
First Claim
Patent Images
1. A method comprising:
- receiving, at a network device, a data flow associated with a host;
accessing a memory maintaining a data structure comprising one or more count values for the host, wherein each of the count values correspond to a number of events detected over a time interval and wherein each event corresponding to a count value exhibits a correlation to a network application;
determining a flow affinity value by multiplying each count value by a correlation value corresponding to the count value to yield a component product and summing the component products for each count value to yield the flow affinity value; and
classifying the data flow as the network application based on a comparison of the flow affinity value to a threshold flow affinity value.
11 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatuses and systems directed to detecting network applications whose data flows have been encrypted. The present invention extends beyond analysis of explicitly presented packet attributes of data flows and holistically analyzes the behavior of host or end systems as expressed in related data flows against a statistical behavioral model to classify the data flows.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, at a network device, a data flow associated with a host; accessing a memory maintaining a data structure comprising one or more count values for the host, wherein each of the count values correspond to a number of events detected over a time interval and wherein each event corresponding to a count value exhibits a correlation to a network application; determining a flow affinity value by multiplying each count value by a correlation value corresponding to the count value to yield a component product and summing the component products for each count value to yield the flow affinity value; and classifying the data flow as the network application based on a comparison of the flow affinity value to a threshold flow affinity value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method, comprising:
-
receiving, at a network device, a data flow associated with a host; applying a first classification frame to classify the data flow based on attributes of individual packets of the data flow that are readily discoverable or unconcealed by encryption; if the data flow is not classified into a network application by applying the first classification framework, then applying a second classification framework, wherein the second classification frame comprises accessing a memory maintaining a data structure comprising one or more count values for the host, wherein each of the count values correspond to a number of events detected over a time interval and wherein each event corresponding to a count value exhibits a correlation to a network application; determining a flow affinity value by multiplying each count value by a correlation value corresponding to the count value to yield a component product and summing the component products for each count value to yield the flow affinity value; and classifying the data flow as the network application based on a comparison of the flow affinity value to a threshold flow affinity value. - View Dependent Claims (10, 11, 12)
-
-
13. An apparatus, comprising:
-
one or more network interfaces, a memory; one or more processors; one or more code modules comprising computer-executable instructions stored on a computer readable medium, the instructions, when read and executed, for causing the one or more processors, the instructions, when read and executed, for causing the one or more processors to; receive a data flow associated with a host; access the memory maintaining a data structure comprising one or more count values for the host, wherein each of the count values correspond to a number of events detected over a time interval and wherein each event corresponding to a count value exhibits a correlation to a network application; determine a flow affinity value by multiplying each count value by a correlation value corresponding to the count value to yield a component product and summing the component products for each count value to yield the flow affinity value; and classify the data flow as the network application based on a comparison of the flow affinity value to a threshold flow affinity value. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification