Client-side application-classifier gathering network-traffic statistics and application and user names using extensible-service provider plugin for policy-based network control

US 6,141,686 A
Filed: 06/23/1998
Issued: 10/31/2000
Est. Priority Date: 03/13/1998
Status: Expired due to Term

First Claim

Patent Images

1. A client-side application-classifier comprising:

an upper interface to a higher-level network-socket library, the higher-level network-socket library for providing high-level network functions to high-level user applications by generating a socket for connecting to a remote machine on a network;

a lower interface to a network-transport layer, the network-transport layer for formatting data for transmission over the network;

an interceptor, coupled between the upper and lower interfaces, for intercepting network events;

an examiner, coupled to the interceptor, for examining the network event intercepted and collecting statistical information about the network event, the statistical information including;

an application name of one of the high-level user applications that caused the network event;

a timestamp for the network event;

a byte count when the network event is a transfer of data over the network;

Internet addresses and ports when the network event is a connection or a data transfer; and

a process identifier of a running instance of the high-level user application;

a consolidator, coupled to the examiner, for consolidating the statistical information into application-classifier tables, the application-classifier tables including current tables for currently-running instances of applications, and historical tables that include closed applications; and

a reporter, coupled to the consolidator, for sending the statistical information from the application-classifier tables to a remote policy server on the network, the statistical information including the application name,whereby the statistical information for network events is collected by the client-side application-classifier.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Low-level network services are provided by network-service-provider plugins. These plugins are controlled by an extensible service provider that is layered above the TCP or other protocol layer but below the Winsock-2 library and API. Policy servers determine priority of network traffic through control points on a network. Examining packets passing through these control points provides limited data such as the source and destination IP address and TCP ports. Many applications on a client machine may use the same IP address and TCP ports, so packet examination is ineffective for prioritizing data from different applications on one client machine. Often some applications such as videoconferencing or data-entry for corporate sales are more important than other applications such as web browsing. A application-classifier plugin to the extensible service provider intercepts network traffic at above the client'"'"'s TCP/IP stack and associates applications and users with network packets. These associations and statistics such as maximum, average, and instantaneous data rates and start and stop time are consolidated into tables. The policy server can query these tables to find which application is generating network traffic and prioritize the traffic based on the high-level application. Bandwidth-hogging applications such as browsers can be identified from the statistics and given lower priority.

988 Citations

20 Claims

1. A client-side application-classifier comprising:
- an upper interface to a higher-level network-socket library, the higher-level network-socket library for providing high-level network functions to high-level user applications by generating a socket for connecting to a remote machine on a network;
  
  a lower interface to a network-transport layer, the network-transport layer for formatting data for transmission over the network;
  
  an interceptor, coupled between the upper and lower interfaces, for intercepting network events;
  
  an examiner, coupled to the interceptor, for examining the network event intercepted and collecting statistical information about the network event, the statistical information including;
  
  an application name of one of the high-level user applications that caused the network event;
  
  a timestamp for the network event;
  
  a byte count when the network event is a transfer of data over the network;
  
  Internet addresses and ports when the network event is a connection or a data transfer; and
  
  a process identifier of a running instance of the high-level user application;
  
  a consolidator, coupled to the examiner, for consolidating the statistical information into application-classifier tables, the application-classifier tables including current tables for currently-running instances of applications, and historical tables that include closed applications; and
  
  a reporter, coupled to the consolidator, for sending the statistical information from the application-classifier tables to a remote policy server on the network, the statistical information including the application name,whereby the statistical information for network events is collected by the client-side application-classifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The client-side application-classifier of claim 1 wherein the interceptor is an extensible service provider and wherein the examiner is an application-classifier plugin to the extensible service provider, the extensible service provider for controlling other plugins providing low-level network services.
  - 3. The client-side application-classifier of claim 1 wherein the examiner includes means for generating an event object containing the statistical information, the event object sent to the consolidator and written into the application-classifier tables.
  - 4. The client-side application-classifier of claim 1 wherein the network event is selected from the group consisting of:
    - an application startup event when a high-level application is initialized;
      
      an application cleanup event when the high-level application is terminated;
      
      a socket open event when a new socket is opened;
      
      a socket close event when a socket is closed;
      
      a connect event when a connection is made from a client to a remote server;
      
      an accept event when a connection is accepted from a remote client;
      
      a send-complete event when a flow of data has been sent from the client to the remote server; and
      
      a receive-complete event when a flow of data has been sent from the remote server to the client.
  - 5. The client-side application-classifier of claim 4 wherein the statistical information for all network events includes a process identifier, wherein the application-classifier tables are indexed by the process identifier.
  - 6. The client-side application-classifier of claim 5 wherein the application-classifier tables store for each flow of each high-level application:
    - the process identifier;
      
      the timestamp;
      
      the application name;
      
      the byte count when the network event is a transfer of data over the network; and
      
      Internet addresses and ports when the network event is a connection or a data transfer;
      
      and wherein an application-classifier table for a high-level application contains;
      
      maximum, average, and most-recent data-transfer rates for flows generated by the high-level application.
  - 7. The client-side application-classifier of claim 1 wherein the network-transport layer is a TCP/IP stack coupled to a first network through a first media-access controller and coupled to a second network through a second media-access controller, the client-side application-classifier further comprising:
    - a network enhancer, coupled between the network-transport layer and the first and second media-access controllers, for intercepting network packets and extracting routing information including source and destination network addresses; and
      
      a route table, coupled to the network enhancer, for storing the routing information for the network packets;
      
      the examiner coupled to the route table to determine a source address of either the first media-access controller or of the second media-access controller when the source address is not available from the upper interface,whereby source addresses for clients with two network connections is obtained by the network enhancer below the TCP/IP stack.

8. A computer-implemented method for classifying network flows from a client, the method comprising:
- calling a socket function for opening or transmitting data through a socket-connection for connecting a high-level application to a remote machine on a network, the socket function being a function in an applications-programming interface (API) used by high-level applications to access the network;
  
  activating an extensible service provider before the data is sent from the socket function to a lower network-transport layer, wherein the data is intercepted by the extensible service provider, the extensible service provider for evaluating filters to determine which plugins need to be executed;
  
  activating an application-classifier plugin attached to the extensible service provider before the data is sent to the network-transport layer;
  
  collecting statistical information including a name of the high-level application generating the data, a user name, a timestamp, and a number of bytes transmitted when the application-classifier plugin is activated;
  
  consolidating the statistical information collected by the application-classifier plugin in application-classifier tables; and
  
  sending the statistical information to a policy server on a remote machine on the network, wherein the policy server prioritizes the data using the name of the high-level application obtained from the application-classifier plugin on the client,whereby the policy server prioritizes network data based on names of high-level applications obtained from the application-classifier plugin on the client.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The computer-implemented method of claim 8 wherein the step of sending the statistical information comprises:
    - searching the application-classifier tables for matching entries having a source and a destination IP address that match a source and a destination IP address that the policy server obtained by examining a network packet, the network packet not containing the name of the high-level application; and
      
      reading the name of the application from the matching entries and sending the name of the high-level application to the policy server as the high-level application that generated the network packet examined by the policy server,wherein the policy server prioritizes network traffic based on high-level applications rather than low-level IP addresses.
  - 10. The computer-implemented method of claim 9 further comprising:
    - generating an event object when the application-classifier plugin is activated, the event object indicating a type of network activity performed by the socket function, the event object containing the statistical information;
      
      sending the event object to the application-classifier tables, the statistical information being added to the application-classifier tables.
  - 11. The computer-implemented method of claim 10 further comprising:
    - finding bandwidth-hogging applications by reading byte-count fields in the application-classifier tables and comparing the byte-count fields to a threshold,wherein applications with network flows having byte-counts above the threshold are identified as high-bandwidth applications.
  - 12. The computer-implemented method of claim 11 further comprising:
    - using the timestamp in the statistical information and the number of byte transmitted to determine a rate of byte transfer;
      
      storing the rate of byte transfer in the application-classifier tables.
  - 13. The computer-implemented method of claim 8 wherein the application-classifier plugin is transparent to high-level applications, the application-classifier plugin performing low-level network services.

14. A computer-program product comprising:
- a computer-usable medium having computer-readable program code means embodied therein for classifying network traffic according to high-level application name, the computer-readable program code means in the computer-program product comprising;
  
  socket means for receiving data for transmission over a network, the data from a high-level application that uses a high-level library of socket-functions for sending the data to the socket means;
  
  transport means for sending the data to a lower-level network-transport layer, the lower-level network-transport layer for formatting the data for transmission over the network; and
  
  extensible service provider means, coupled to the socket means and to the transport means, for activating a application-classifier plugin when the data is sent to the transport means, the extensible service provider means further for activating other plugins;
  
  the application-classifier plugin including means for collecting information about the data, the information including a name of the high-level application generating the data, a source address and a destination address, and a timestamp;
  
  whereby the data is classified by the name of the high-level application generating the data sent to the network.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer-program product of claim 14 wherein the computer-readable program code means further comprises:
    - a consolidator, coupled to the application-classifier plugin, for storing the information collected in application-classifier tables with information collected for network data transmissions for other high-level applications,whereby the information is stored in the application-classifier tables.
  - 16. The computer-program product of claim 15 wherein the computer-readable program code means further comprises:
    - reporting means, coupled to the consolidator, for receiving requests from a policy server on a remote machine on the network, for reading the application-classifier tables and returning to the policy server the name of the high-level application from the application-classifier tables,whereby the policy server looks up the name of the high-level application sending the data to the network.
  - 17. The computer-program product of claim 16 wherein the request from the policy server includes source and destination IP addresses from data packets sent over the network from the socket means, but the data packets do not contain the name of the high-level application sending the data,whereby the policy server cannot obtain the name of the high-level application from the data packets but only from the application-classifier tables.
  - 18. The computer-program product of claim 16 wherein the computer-readable program code means further comprises:
    - filtering means for comparing transmission information for the data from the socket means to predetermined transmission criteria, for indicating when a socket matches the predetermined transmission criteria;
      
      wherein the extensible service provider means only activates the application-classifier plugin when the socket matches the predetermined transmission criteria.
  - 19. The computer-program product of claim 18 wherein the computer-readable program code means further comprises:
    - a blocking plugin, coupled to the extensible service provider means, for blocking the data from being transmitted to the network;
      
      wherein the policy server determines which data is low-priority data by reading the names of high-level applications from the application-classifier tables;
      
      wherein the blocking plugin blocks low-priority data from being transmitted on the network to reduce network traffic, the blocking plugin under control of the policy server,whereby the low-priority data is blocked at the source before being sent over the network.
  - 20. The computer-program product of claim 16 wherein the application-classifier plugin and extensible service provider means are installed on a client machine,whereby the client machine collects the information for use by the policy server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Deterministic Networks, Inc. (Gilat Satellite Networks Limited)
Inventors
Jackowski, Steven J., Thomas, Christopher N.
Primary Examiner(s)
Luu, Le Hien
Assistant Examiner(s)
Jaroenchonwanit, Bunjob

Application Number

US09/103,339
Time in Patent Office

861 Days
Field of Search

709/224, 709/226, 709/229, 709/104, 709/105, 709/301, 709/302, 709/304, 709/238, 709/206, 709/207, 709/103, 709/249, 710/10, 370/252, 370/254
US Class Current

709/224
CPC Class Codes

H04L 41/065   involving logical or physic...

H04L 41/0893   Assignment of logical group...

H04L 69/16   Implementation or adaptatio...

H04L 69/162   involving adaptations of so...

H04L 69/165   Combined use of TCP and UDP...

Client-side application-classifier gathering network-traffic statistics and application and user names using extensible-service provider plugin for policy-based network control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

988 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Client-side application-classifier gathering network-traffic statistics and application and user names using extensible-service provider plugin for policy-based network control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

988 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links