Client-side application-classifier gathering network-traffic statistics and application and user names using extensible-service provider plugin for policy-based network control
First Claim
1. A client-side application-classifier comprising:
- an upper interface to a higher-level network-socket library, the higher-level network-socket library for providing high-level network functions to high-level user applications by generating a socket for connecting to a remote machine on a network;
a lower interface to a network-transport layer, the network-transport layer for formatting data for transmission over the network;
an interceptor, coupled between the upper and lower interfaces, for intercepting network events;
an examiner, coupled to the interceptor, for examining the network event intercepted and collecting statistical information about the network event, the statistical information including;
an application name of one of the high-level user applications that caused the network event;
a timestamp for the network event;
a byte count when the network event is a transfer of data over the network;
Internet addresses and ports when the network event is a connection or a data transfer; and
a process identifier of a running instance of the high-level user application;
a consolidator, coupled to the examiner, for consolidating the statistical information into application-classifier tables, the application-classifier tables including current tables for currently-running instances of applications, and historical tables that include closed applications; and
a reporter, coupled to the consolidator, for sending the statistical information from the application-classifier tables to a remote policy server on the network, the statistical information including the application name,whereby the statistical information for network events is collected by the client-side application-classifier.
2 Assignments
0 Petitions
Accused Products
Abstract
Low-level network services are provided by network-service-provider plugins. These plugins are controlled by an extensible service provider that is layered above the TCP or other protocol layer but below the Winsock-2 library and API. Policy servers determine priority of network traffic through control points on a network. Examining packets passing through these control points provides limited data such as the source and destination IP address and TCP ports. Many applications on a client machine may use the same IP address and TCP ports, so packet examination is ineffective for prioritizing data from different applications on one client machine. Often some applications such as videoconferencing or data-entry for corporate sales are more important than other applications such as web browsing. A application-classifier plugin to the extensible service provider intercepts network traffic at above the client'"'"'s TCP/IP stack and associates applications and users with network packets. These associations and statistics such as maximum, average, and instantaneous data rates and start and stop time are consolidated into tables. The policy server can query these tables to find which application is generating network traffic and prioritize the traffic based on the high-level application. Bandwidth-hogging applications such as browsers can be identified from the statistics and given lower priority.
988 Citations
20 Claims
-
1. A client-side application-classifier comprising:
-
an upper interface to a higher-level network-socket library, the higher-level network-socket library for providing high-level network functions to high-level user applications by generating a socket for connecting to a remote machine on a network; a lower interface to a network-transport layer, the network-transport layer for formatting data for transmission over the network; an interceptor, coupled between the upper and lower interfaces, for intercepting network events; an examiner, coupled to the interceptor, for examining the network event intercepted and collecting statistical information about the network event, the statistical information including; an application name of one of the high-level user applications that caused the network event; a timestamp for the network event; a byte count when the network event is a transfer of data over the network; Internet addresses and ports when the network event is a connection or a data transfer; and a process identifier of a running instance of the high-level user application; a consolidator, coupled to the examiner, for consolidating the statistical information into application-classifier tables, the application-classifier tables including current tables for currently-running instances of applications, and historical tables that include closed applications; and a reporter, coupled to the consolidator, for sending the statistical information from the application-classifier tables to a remote policy server on the network, the statistical information including the application name, whereby the statistical information for network events is collected by the client-side application-classifier. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method for classifying network flows from a client, the method comprising:
-
calling a socket function for opening or transmitting data through a socket-connection for connecting a high-level application to a remote machine on a network, the socket function being a function in an applications-programming interface (API) used by high-level applications to access the network; activating an extensible service provider before the data is sent from the socket function to a lower network-transport layer, wherein the data is intercepted by the extensible service provider, the extensible service provider for evaluating filters to determine which plugins need to be executed; activating an application-classifier plugin attached to the extensible service provider before the data is sent to the network-transport layer; collecting statistical information including a name of the high-level application generating the data, a user name, a timestamp, and a number of bytes transmitted when the application-classifier plugin is activated; consolidating the statistical information collected by the application-classifier plugin in application-classifier tables; and sending the statistical information to a policy server on a remote machine on the network, wherein the policy server prioritizes the data using the name of the high-level application obtained from the application-classifier plugin on the client, whereby the policy server prioritizes network data based on names of high-level applications obtained from the application-classifier plugin on the client. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer-program product comprising:
a computer-usable medium having computer-readable program code means embodied therein for classifying network traffic according to high-level application name, the computer-readable program code means in the computer-program product comprising; socket means for receiving data for transmission over a network, the data from a high-level application that uses a high-level library of socket-functions for sending the data to the socket means; transport means for sending the data to a lower-level network-transport layer, the lower-level network-transport layer for formatting the data for transmission over the network; and extensible service provider means, coupled to the socket means and to the transport means, for activating a application-classifier plugin when the data is sent to the transport means, the extensible service provider means further for activating other plugins; the application-classifier plugin including means for collecting information about the data, the information including a name of the high-level application generating the data, a source address and a destination address, and a timestamp; whereby the data is classified by the name of the high-level application generating the data sent to the network. - View Dependent Claims (15, 16, 17, 18, 19, 20)
Specification